Yeah, this is the part that I don't get. If the solution is "security testing should come before people install it", why is the big push to have people intentionally add this artificial delay to install later rather than moving the security testing earlier to before the release? If you want to make people not drive on the road until the pavement dries, you don't try to convince everyone to push back their workday by an hour; you just lay the asphalt an hour earlier.

I think the key right now is that these are semi-automated scanning processes. Right now, companies like step security selectively publish. So, in order for a hacking group to find out if their malware is detected or not, they have to burn access to a useful package.

None of this is to say I think Microsoft shouldn't be doing something as part of the release process on NPM. However, there is real value in giving more independent third parties a window to do things semi-manually.

It works because there are multiple companies doing it and double checking the results.

For example, is a crypto miner actually an attack? If the package presents itself as a miner, then no. Is connections to other repositories an attack? Again, depends on what the package does. Connections to some other hostname? Depends.

There is still a lot of human analysis that occurs in making the call that an attack is occurring.