Remix.run Logo
zihotki 2 hours ago

If everyone starts applying cooldowns, won't it postpone the problem? So now there is a considerable amount of users who are affected and someone from the affected group discovers the infection and reports it.

But if everyone will be delaying updates, won't be there less chances to catch it in time? I'm not fully sure if it's possible to preventively scan all NPM packages or how much compute it would require.

stusmall an hour ago | parent | next [-]

>If everyone starts applying cooldowns, won't it postpone the problem?

There are still research firms who are actively and aggressively scanning new packages once they are pushed. For example socket.dev pulls new packages across ecosystems and performs automated analysis and runs it in a sandbox. We don't have to have them go boom in someone's production repos to find out there is a problem.

NewJazz 4 minutes ago | parent [-]

[dead]

woodruffw an hour ago | parent | prev | next [-]

> But if everyone will be delaying updates, won't be there less chances to catch it in time?

No: the security assumption behind cooldowns rests on security scanning parties, not on innocent users being victimized. Three days is a short cooldown, but it should be a good enough lead for scanning parties.

> I'm not fully sure if it's possible to preventively scan all NPM packages or how much compute it would require.

It’s not that much data, particularly for parties that are directly financially incentivized to be the first to report malware.

MeetingsBrowser an hour ago | parent | prev | next [-]

Only a few of the recent supply chain attacks were discovered by users noticing weird behavior.

The majority were noticed by maintainers or third party groups noticing things like releases not tied to a source tag, many rapid releases, etc.

Cooldowns won’t stop everything, but it makes a malicious release significantly more likely to be noticed

roblabla 2 hours ago | parent | prev | next [-]

The goal is to give time for automated scanners ran by cybersecurity companies to flag malware before it gets installed on real users.

tabwidth an hour ago | parent | prev | next [-]

Most of the malicious ones just curl something in a postinstall script, scanners already catch that. The sneaky ones don't look malicious until they run, and three days may not help.

MeetingsBrowser an hour ago | parent | next [-]

There are plenty of ways to notice a malicious release without observing it running.

Build provenance, maintainer alerts on new releases, tying releases to specific git tags, etc all help.

drdexebtjl an hour ago | parent | prev [-]

Every single one now will be more sneaky, and we’ll be operating on a 3-day cooldown for no reason.

brookst 38 minutes ago | parent [-]

You really think it has zero benefit whatsoever? Nothing malicious will be caught?

ronbenton an hour ago | parent | prev | next [-]

Easy, then you just delay your project’s dependency updates just a little more than everyone else

oakesm9 2 hours ago | parent | prev [-]

I think the idea is that it gives a bit of time for the companies which run automated scans of new versions to run through and detect any issues with new versions before users install them en-mass.