Comment by justsid
25 days ago
Doesn’t that just move the problem 7 days down the road? I always assumed these kinds of things just burn themselves because someone gets infected and realizes, not that there is an army of people auditing the changes. If everyone cooldowns for 7 days, it just happens later?
A large portion of the time, the maintainer notices what happened a few hours later. Maybe they were asleep or off doing other things for a while, but they eventually come back. And these kinds of takeovers frequently aren't complete enough to cover their tracks.
So at the very least, adding a cooldown raises the difficulty of these attacks above that threshold.
> large portion of the time, the maintainer notices what happened a few hours later.
So add it at the package manager level instead of the user level then?
Would be bad for software/progress I guess but, got me thinking of if we had an expectation a dev would post an update checksum/hash, then follow it up a day later with the update itself...
(well maybe that leads to kidnappings idk)
edit - heh, sibling comment on package manager-level must be much smarter
> Would be bad for software/progress I guess but
We all need to slow down and get some perspective. “Progress” doesn’t mean “rush everything and do it now now now”. Advancements should be slow, methodical, considered. That’s a good thing, not a weakness.
1 reply →
I fail to see how this isn't a simple cool down with more steps. It doesn't seem to add anything to the security posture of the package/update
1 reply →
These get detected almost immediately, and removed by npm within hours (axios, tanstack at least)
But who will detect them on day one once everyone ignores them for seven days?
These things are usually caught by tools specifically scanning npm or by the maintainers noticing their account is compromised, not by people auditing their own installed packages.
There are some companies that specialize in detecting those, they do it for free (and get lots of marketing for it…)
AI agents