Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
0xbadcafebee 10 hours ago

"Wait a week to install software" does not work. Just a few months ago a massive exploit hit the web, which was a timed attack which sat for more than a month before executing. If everyone starts waiting a week, their exploits will wait 2 weeks. Cyber criminals do not need to exploit you immediately, they just need to exploit you. (It also doesn't change a large range of vuln classes like typosquatting)

tom_alexander 9 hours ago | parent | next [-]

I think the author was suggesting "wait a week" as a one-time wait for fixes to be written and patches distributed for these specific prematurely-disclosed vulnerabilities, not an on-going suggestion for delaying all updates. But otherwise I agree with you.

xena 9 hours ago | parent [-]

Yep, that was my intent.

Barbing 8 hours ago | parent [-]

Oh! Not GP but skimmed too quickly

moebrowne an hour ago | parent | prev | next [-]

> If everyone starts waiting a week, their exploits will wait 2 weeks

It's much easier to break into an NPM/Github account and push malicious commits in the few hours a maintainer is sleeping than it is to push something out and not have it noticed for 2 weeks.

There are lists of attacks which had an exposure window which was much shorter than 2 weeks:

https://daniakash.com/posts/simplest-supply-chain-defense/ https://blog.yossarian.net/2025/11/21/We-should-all-be-using...

gpm 9 hours ago | parent | prev | next [-]

I think you misunderstood the article. The proposal isn't wait a week after Software has been published before installing it. It's in the next seven days starting now, just don't, because you probably don't have patches for these vulnerabilities and even if you do there's probably more scary vulnerabilities about to be discovered.

hnfong 4 hours ago | parent [-]

I think it's even more specific.

From TFA:

> Right now would be one of the best times for a supply chain attack via NPM to hit hard.

Given the local kernel root exploits, people pulling npm dependencies have an extra high chance of getting rooted. This includes test systems, build systems, the web server running node.js backend, etc. etc. etc.

This means that there is a significantly greater chance that whatever software you download (not necessarily npm-based) on the internet in these couple days has been unknowingly infected with backdoors, simply due to the fact that the vast majority of servers out there that use npm code have easily exploitable vulnerabilities.

Nathanba 7 hours ago | parent | prev | next [-]

well then let's wait a month or even two months. The point of the wait period is primarily to avoid the new installation of exploits, not the execution of already installed exploits.

chakintosh 2 hours ago | parent | prev | next [-]

Yeah, Stuxnet was dormant for a year until execution.

whazor 8 hours ago | parent | prev | next [-]

A popular package has more exposure. When the artefact is published, the entire world can see it. Hopefully some people check the diff between versions. But without any delays then you could be hit by exploits nobody has seen yet.

dnaaun 4 hours ago | parent | prev | next [-]

Every dependency compromise that I can remember "in the past few months" were discovered in hours, if not minutes (litllm, axios, bitwarden CLI, Checkmarx docker images, Pytorch lightning, intercom/intercom-php). What's more, the discovery of these compromises did not at all rely on whether the compromises were actively used.

That's why I don't understand:

> If everyone starts waiting a week, their exploits will wait 2 weeks

fny 9 hours ago | parent | prev [-]

This is why cooldowns have space for patches.