| ▲ | 0xbadcafebee an hour ago | |
The package event-stream was compromised and went unnoticed for 60 days: https://medium.com/intrinsic-blog/compromised-npm-package-ev... The package axios was compromised, and hijacked the author's credentials, so every attempt at a fix was unfixed. https://www.trendmicro.com/en_us/research/26/c/axios-npm-pac... The xz utility was backdoored for 2 months: https://gigazine.net/gsc_news/en/20240403-timeline-of-xz-ope... A student researcher took over Python ctx and PHPass package maintainership, pushing out malicious changes, and that took over 7 days to be detected and fixed: https://infosecwriteups.com/how-i-hacked-ctx-and-phpass-modu... Kaspersky found multiple PyPI packages that had been exploited for more than a year: https://www.kaspersky.com/about/press-releases/kaspersky-unc... "LoftyLife" packages were exploited for several months: https://securelist.com/lofylife-malicious-npm-packages/10701... Now that the attack window has changed to 7 days, all new exploits like these will come with time bombs to not trigger until 8 days. | ||
| ▲ | pixl97 34 minutes ago | parent | next [-] | |
Instant attacks are much easier and more common than delayed attacks. Security is an onion. | ||
| ▲ | Sayrus an hour ago | parent | prev [-] | |
> Now that the attack window has changed to 7 days, all new exploits like these will come with time bombs to not trigger until 8 days. Many automated scanners use static code analysis rather than run the installation script. Not all of them are caught, but a good part of them are and you'd be saved by a delay. | ||