logoalt Hacker News

zihotkiyesterday at 10:36 PM8 repliesview on HN

If everyone starts applying cooldowns, won't it postpone the problem? So now there is a considerable amount of users who are affected and someone from the affected group discovers the infection and reports it.

But if everyone will be delaying updates, won't be there less chances to catch it in time? I'm not fully sure if it's possible to preventively scan all NPM packages or how much compute it would require.


Replies

stusmallyesterday at 10:50 PM

>If everyone starts applying cooldowns, won't it postpone the problem?

There are still research firms who are actively and aggressively scanning new packages once they are pushed. For example socket.dev pulls new packages across ecosystems and performs automated analysis and runs it in a sandbox. We don't have to have them go boom in someone's production repos to find out there is a problem.

show 2 replies
woodruffwyesterday at 11:01 PM

> But if everyone will be delaying updates, won't be there less chances to catch it in time?

No: the security assumption behind cooldowns rests on security scanning parties, not on innocent users being victimized. Three days is a short cooldown, but it should be a good enough lead for scanning parties.

> I'm not fully sure if it's possible to preventively scan all NPM packages or how much compute it would require.

It’s not that much data, particularly for parties that are directly financially incentivized to be the first to report malware.

show 1 reply
MeetingsBrowseryesterday at 10:46 PM

Only a few of the recent supply chain attacks were discovered by users noticing weird behavior.

The majority were noticed by maintainers or third party groups noticing things like releases not tied to a source tag, many rapid releases, etc.

Cooldowns won’t stop everything, but it makes a malicious release significantly more likely to be noticed

roblablayesterday at 10:39 PM

The goal is to give time for automated scanners ran by cybersecurity companies to flag malware before it gets installed on real users.

ronbentonyesterday at 10:51 PM

Easy, then you just delay your project’s dependency updates just a little more than everyone else

tabwidthyesterday at 11:12 PM

Most of the malicious ones just curl something in a postinstall script, scanners already catch that. The sneaky ones don't look malicious until they run, and three days may not help.

show 2 replies
oakesm9yesterday at 10:38 PM

I think the idea is that it gives a bit of time for the companies which run automated scans of new versions to run through and detect any issues with new versions before users install them en-mass.

TZubiritoday at 12:17 AM

There was a story about two men and a tiger

The men see the tiger, one scrambles to run and the other starts putting on their shoes

"Why are you putting on shoes? You'll never outrun the tiger"

"I don't need to, I just need to outrun you"