Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
teeray 4 hours ago

It basically devolves into a Volunteer’s Dilemma. There’s no incentive here to be the guinea pig, so nobody will want to be.

embedding-shape 2 hours ago | parent [-]

> It basically devolves into a Volunteer’s Dilemma. There’s no incentive here to be the guinea pig, so nobody will want to be.

Except there is lots to gain from being the first to write about the new malware on some registry, so companies are actively downloading and inspecting literally every package.

Back in the day (maybe 6-7 years ago?) you could detect this by uploading a new npm package that hit back some endpoint in your control, and it was almost guaranteed that this endpoint got a request within a minute of publishing a new package or update to existing one with users. Nowadays I think none of the scanners actually run the code, mostly static-analysis, and I dunno how often the npm download counter updates per day, probably harder to see in real-time.

teeray 2 hours ago | parent [-]

> Except there is lots to gain from being the first to write about the new malware on some registry

Show me the company writing to their customers “we intentionally decided to ship code with potentially novel vulnerabilities. One of those vulnerabilities caused disclosure of your data, but cheer up! We have this cool security blog post about it now.” Meanwhile their competitors freeride and their customers’ data is safe.

scheme271 22 minutes ago | parent | next [-]

I think it's more some security company writing about a vulnerability they discovered in this module or a worm/backdoor and not the company that wrote the software. The security company gets publicity and potentially gets more biz for security consulting.

weaksauce an hour ago | parent | prev [-]

security researchers not the ones shipping the faulty code.

teeray an hour ago | parent [-]

We’re not talking about security researchers here:

> there is lots to gain from being the first to write about the new malware on some registry, so *companies* are actively downloading and inspecting literally every package.

(Emphasis mine)

john_strinlai 20 minutes ago | parent [-]

>We’re not talking about security researchers here:

we are.

"companies" in this context is "security companies" (hence why they are "downloading and inspecting every package", which would not make sense if referring to the people authoring and shipping a single package)