Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
XYen0n 12 hours ago

If everyone avoids using packages released within the last 7 days, malicious code is more likely to remain dormant for 7 days.

otterley 12 hours ago | parent | next [-]

What do you base that on? Threat researchers (and their automated agents) will still keep analyzing new releases as soon as they’re published.

mike_hearn 8 hours ago | parent | next [-]

Their analysis was triggered by open source projects upgrading en-masse and revealing a new anomalous endpoint, so, it does require some pioneers to take the arrows. They didn't spot the problem entirely via static analysis, although with hindsight they could have done (missing GitHub attestation).

narrator 7 hours ago | parent [-]

A security company could set up a honeypot machine that installs new releases of everything automatically and have a separate machine scan its network traffic for suspicious outbound connections.

mike_hearn 2 hours ago | parent [-]

The problem is what counts as suspicious. StepSecurity are quite clear in their post that they decide what counts as anomalous by comparing lots of open source runs against prior data, so they can't figure it out on their own.

PunchyHamster 4 hours ago | parent | prev | next [-]

The fact threat researchers and especially their automated agents are not all that good at their jobs

zwily 3 hours ago | parent [-]

Those threat researchers and their autonomous agents caught this axios release.

3 hours ago | parent [-]
[deleted]
staticassertion 6 hours ago | parent | prev [-]

> What do you base that on?

The entire history of malware lol

otterley 3 hours ago | parent [-]

Can you elaborate? Why do you believe that motivated threat hunters won’t continue to analyze and find threats in new versions of open source software in the first week after release?

staticassertion 3 hours ago | parent [-]

Attackers going "low and slow" when they know they're being monitored is just standard practice.

> Why do you believe that motivated threat hunters won’t continue to analyze and find threats in new versions of open source software in the first week after release?

I'm sure they will, but attackers will adapt. And I'm really unconvinced that these delays are really going to help in the real world. Imagine you rely on `popular-dependency` and it gets compromised. You have a cooldown, but I, the attacker, issue "CVE-1234" for `popular-dependency`. If you're at a company you now likely have a compliance obligation to patch that CVE within a strict timeline. I can very, very easily pressure you into this sort of thing.

I'm just unconvinced by the whole idea. It's fine, more time is nice, but it's not a good solution imo.

otterley 2 hours ago | parent [-]

What, in your view, is a better solution?

staticassertion an hour ago | parent [-]

There are many options. Here's a post just briefly listing a few of the ones that would be handled by package managers and registries, but there are also many things that would be best done in CI pipelines as well.

https://news.ycombinator.com/item?id=47586241

cozzyd 12 hours ago | parent | prev | next [-]

that's why people are telling others to use 7 days but using 8 days themselves :)

MetaWhirledPeas an hour ago | parent | next [-]

You don't have to be faster than the bear, you just have to be faster than the other guy.

wongarsu 6 hours ago | parent | prev | next [-]

brb, switching everything to 9 days

johnisgood 3 hours ago | parent [-]

That is 3D chess level type shit. xD

porridgeraisin 9 hours ago | parent | prev [-]

Genius

shreyssh 7 hours ago | parent | prev | next [-]

Worth noting this attack was caught because people noticed anomalous network traffic to a new endpoint. The 7-day delay doesn't just give scanners time, it gives the community time to notice weird behavior from early adopters who didn't have the delay set.

It's herd immunity, not personal protection. You benefit from the people who DO install immediately and raise the alarm

sersi 7 hours ago | parent [-]

But wouldn't the type of people that notifes anomalous network activity be exactly the type of people who add a 7 day delay because they're security conscious?

DrewADesign 3 hours ago | parent [-]

And I’ll bet a chunk of already-compromised vibe coders are feeling really on-top-of-shit because they just put that in their config, locking in that compromised version for a week.

jmward01 12 hours ago | parent | prev | next [-]

I suspect most packages will keep a mix of people at 7 days and those with no limit. That being said, adding jitter by default would be good to these features.

Barbing 10 hours ago | parent [-]

>adding jitter by default would be good

This became evident, what, perhaps a few years ago? Probably since childhood for some users here but just wondering what the holdup is. Lots of bad press could be avoided, or at least a little.

DimmieMan 12 hours ago | parent | prev | next [-]

They’re usually picked up by scanners by then.

Aurornis 12 hours ago | parent | prev | next [-]

Most people won’t.

7 days gives ample time for security scanning, too.

3abiton 11 hours ago | parent | prev | next [-]

This highly depends on the detection mechanism.

bakugo 12 hours ago | parent | prev | next [-]

> If everyone avoids using packages released within the last 7 days

Which will never even come close to happening, unless npm decides to make it the default, which they won't.

131hn 6 hours ago | parent | prev [-]

[dead]