Comment by justsid

3 hours ago

Doesn’t that just move the problem 7 days down the road? I always assumed these kinds of things just burn themselves because someone gets infected and realizes, not that there is an army of people auditing the changes. If everyone cooldowns for 7 days, it just happens later?

5 comments

justsid

Reply
chowells  3 hours ago

A large portion of the time, the maintainer notices what happened a few hours later. Maybe they were asleep or off doing other things for a while, but they eventually come back. And these kinds of takeovers frequently aren't complete enough to cover their tracks.

So at the very least, adding a cooldown raises the difficulty of these attacks above that threshold.

  • Barbing  3 hours ago

    Would be bad for software/progress I guess but, got me thinking of if we had an expectation a dev would post an update checksum/hash, then follow it up a day later with the update itself...

    (well maybe that leads to kidnappings idk)

    edit - heh, sibling comment on package manager-level must be much smarter

    • bot403  1 hour ago

      I fail to see how this isn't a simple cool down with more steps. It doesn't seem to add anything to the security posture of the package/update

  • nullhole  3 hours ago

    > large portion of the time, the maintainer notices what happened a few hours later.

    So add it at the package manager level instead of the user level then?

eranation  2 hours ago

These get detected almost immediately, and removed by npm within hours (axios, tanstack at least)