I don’t buy the “wait 7 days” being thrown around as a guard.

Wouldn’t that just encourage the bad actors to delay the activation of their payloads a few days or even remotely activated on a switch?

▲

roflcopter69 7 hours ago | parent [-]

Of course the "wait 7 days" are not a silver bullet, but it gives automated scanners plenty of time to do their work. Those automated scanners surely catch this `eval(base64.decode("..."))` stuff that some of those attacks used so in my book this dependency cooldown is a net win. I guess the skilled malicious actors will then up their game but I think it's okay to kick off an arms race between them and the security scanners in the dependency world.

	▲	6thbit 6 hours ago \| parent [-]
		That's a good point. In some level I'd prefer the delay to happen on publication of the package itself. Do any of these scanners have cryptographic attestations or similar?