Comment by boredhedgehog
2 hours ago
> Why cooldowns? Most npm (or pypi) compromises were taken down within hours,
But won't more people on cooldown mean less likelihood to catch the bug, thus extending the need for cooldowns?
2 hours ago
> Why cooldowns? Most npm (or pypi) compromises were taken down within hours,
But won't more people on cooldown mean less likelihood to catch the bug, thus extending the need for cooldowns?
These compromises are usually caught within hours by security researchers performing automated scanning of all published packages.