Comment by XYen0n
25 days ago
If everyone avoids using packages released within the last 7 days, malicious code is more likely to remain dormant for 7 days.
25 days ago
If everyone avoids using packages released within the last 7 days, malicious code is more likely to remain dormant for 7 days.
What do you base that on? Threat researchers (and their automated agents) will still keep analyzing new releases as soon as they’re published.
Their analysis was triggered by open source projects upgrading en-masse and revealing a new anomalous endpoint, so, it does require some pioneers to take the arrows. They didn't spot the problem entirely via static analysis, although with hindsight they could have done (missing GitHub attestation).
A security company could set up a honeypot machine that installs new releases of everything automatically and have a separate machine scan its network traffic for suspicious outbound connections.
1 reply →
The fact threat researchers and especially their automated agents are not all that good at their jobs
Those threat researchers and their autonomous agents caught this axios release.
1 reply →
> What do you base that on?
The entire history of malware lol
Can you elaborate? Why do you believe that motivated threat hunters won’t continue to analyze and find threats in new versions of open source software in the first week after release?
3 replies →
that's why people are telling others to use 7 days but using 8 days themselves :)
brb, switching everything to 9 days
That is 3D chess level type shit. xD
You don't have to be faster than the bear, you just have to be faster than the other guy.
Genius
I suspect most packages will keep a mix of people at 7 days and those with no limit. That being said, adding jitter by default would be good to these features.
>adding jitter by default would be good
This became evident, what, perhaps a few years ago? Probably since childhood for some users here but just wondering what the holdup is. Lots of bad press could be avoided, or at least a little.
They’re usually picked up by scanners by then.
> If everyone avoids using packages released within the last 7 days
Which will never even come close to happening, unless npm decides to make it the default, which they won't.
Most people won’t.
7 days gives ample time for security scanning, too.
This highly depends on the detection mechanism.
[flagged]
But wouldn't the type of people that notifes anomalous network activity be exactly the type of people who add a 7 day delay because they're security conscious?
And I’ll bet a chunk of already-compromised vibe coders are feeling really on-top-of-shit because they just put that in their config, locking in that compromised version for a week.
[flagged]
[dead]