alt Hacker NewsThis is security through obscurity (which is to say: it's not security). Malware already waits dormant for years in many different attack vectors. There are known, simple fixes for the attacks on package managers. They need to implement those fixes, not ineffective hacks.
Replies
A few points/qs:
- Could you explain what you mean by "security through obscurity"? The mechanism is well explained in the blog.yossarian.net posts linked within. It is simply adding a time filter on a client.
- Also, I'm not sure if package registries (e.g. server) and package managers (e.g. client) are being conflated here regarding "attacks on package managers", this seems to be more of a mitigation a client could do when the upstream content in a registry is compromised.
- Lastly, I agree with the sentiment that this is not a full solution. But I think it can be useful nevertheless, a la Swiss Cheese Safety Model. [1]
> Malware already waits dormant for years in many different attack vectors
And some malware doesn't wait. Sure, some supply chain attacks like the one in Notepad++ are much more sophisticated, but some untargeted ones (like the recent Cline CLI one) rely on package managers doing thousands of downloads before it's noticed and stopped.