Comment by aftbit

With this _actual_ attack, it would have been trivial to detect. The signature was:

1. Orphaned package adopted

2. Has post-install hook added

3. Which uses npm or bun

Yes, you're right - detecting this could have led to a more sophisticated attack. Security is always a cat and mouse game. The purpose isn't to stop every attack - it's to raise the costs for attackers and the visibility for defenders.

Any attacker who wants to attack 1000s of packages is going to necessarily leave some signatures, unless they're extremely careful. If they change one thing but not another, you can tie them both together.

Think of this like email anti-spam. It hasn't gotten rid of spam, but it has made it much more expensive to operate.

Combine this with a minimum package age to give the scanners time to run and humans time to inspect, and the ecosystem as a whole gets much more secure.