| ▲ | zihotki 2 hours ago | ||||||||||||||||||||||
If everyone starts applying cooldowns, won't it postpone the problem? So now there is a considerable amount of users who are affected and someone from the affected group discovers the infection and reports it. But if everyone will be delaying updates, won't be there less chances to catch it in time? I'm not fully sure if it's possible to preventively scan all NPM packages or how much compute it would require. | |||||||||||||||||||||||
| ▲ | stusmall an hour ago | parent | next [-] | ||||||||||||||||||||||
>If everyone starts applying cooldowns, won't it postpone the problem? There are still research firms who are actively and aggressively scanning new packages once they are pushed. For example socket.dev pulls new packages across ecosystems and performs automated analysis and runs it in a sandbox. We don't have to have them go boom in someone's production repos to find out there is a problem. | |||||||||||||||||||||||
| |||||||||||||||||||||||
| ▲ | woodruffw an hour ago | parent | prev | next [-] | ||||||||||||||||||||||
> But if everyone will be delaying updates, won't be there less chances to catch it in time? No: the security assumption behind cooldowns rests on security scanning parties, not on innocent users being victimized. Three days is a short cooldown, but it should be a good enough lead for scanning parties. > I'm not fully sure if it's possible to preventively scan all NPM packages or how much compute it would require. It’s not that much data, particularly for parties that are directly financially incentivized to be the first to report malware. | |||||||||||||||||||||||
| ▲ | MeetingsBrowser an hour ago | parent | prev | next [-] | ||||||||||||||||||||||
Only a few of the recent supply chain attacks were discovered by users noticing weird behavior. The majority were noticed by maintainers or third party groups noticing things like releases not tied to a source tag, many rapid releases, etc. Cooldowns won’t stop everything, but it makes a malicious release significantly more likely to be noticed | |||||||||||||||||||||||
| ▲ | roblabla 2 hours ago | parent | prev | next [-] | ||||||||||||||||||||||
The goal is to give time for automated scanners ran by cybersecurity companies to flag malware before it gets installed on real users. | |||||||||||||||||||||||
| ▲ | tabwidth an hour ago | parent | prev | next [-] | ||||||||||||||||||||||
Most of the malicious ones just curl something in a postinstall script, scanners already catch that. The sneaky ones don't look malicious until they run, and three days may not help. | |||||||||||||||||||||||
| |||||||||||||||||||||||
| ▲ | ronbenton an hour ago | parent | prev | next [-] | ||||||||||||||||||||||
Easy, then you just delay your project’s dependency updates just a little more than everyone else | |||||||||||||||||||||||
| ▲ | oakesm9 2 hours ago | parent | prev [-] | ||||||||||||||||||||||
I think the idea is that it gives a bit of time for the companies which run automated scans of new versions to run through and detect any issues with new versions before users install them en-mass. | |||||||||||||||||||||||