> But right now there are still no signed dependencies

Considering these attacks are stealing API tokens by running code on developer's machines; I don't see how signing helps, attackers will just steal the private keys and sign their malware with those.

▲

deevus 3 days ago | parent [-]

Could they detect code running from a new IP address or location and ask for a 2FA code?

▲

cube00 3 days ago | parent [-]

postinstall is running on the developer's machine, from an endpoint security perspective, it's the actual developer performing the malicious actions, their machine, their IP address and their location.

	▲	deevus 2 days ago \| parent [-]
		That's a good point. Thanks