Maybe checking new packages for the following:

- Substantially the same README as another package

- README links to a GitHub that links back to a different package

And additionally:

- Training a local LLM on supply-chain malware as they capture examples, and scanning new releases with it. This wouldn't stop an xz-style attack but will probably catch crypto stealers some of the time.

- Make a "messages portal" for maintainers and telling them never to click a link in an email to see a message from the repository (and never including a link in legitimate emails). You get an email that you have a message and you log in to read it.

▲

Hackbraten 10 hours ago | parent [-]

Checking the README for similarity to other packages can cause false positives for benign, legitimate forks.

▲

maxbond 10 hours ago | parent [-]

Sure, I'm not saying those projects should be automatically deleted or something. Just that it's worth looking into. Maybe you put a message on the package's page notifying potential users and put it into a moderation queue. Maybe a volunteer takes a look at it, and if they find something, they hit the "report malware" button. Maybe you ask for confirmation if they try to add such a package on the command line.

Just spit balling.

	▲	vlovich123 9 hours ago \| parent [-]
		And maybe with a banner like "WARNING: This package appears similar to this more popular package X. Did you mean to use that instead?".