logoalt Hacker News

woodruffwyesterday at 11:01 PM1 replyview on HN

> But if everyone will be delaying updates, won't be there less chances to catch it in time?

No: the security assumption behind cooldowns rests on security scanning parties, not on innocent users being victimized. Three days is a short cooldown, but it should be a good enough lead for scanning parties.

> I'm not fully sure if it's possible to preventively scan all NPM packages or how much compute it would require.

It’s not that much data, particularly for parties that are directly financially incentivized to be the first to report malware.


Replies

moralestapiatoday at 1:48 AM

Do you have an example of those things you're alleging?

All package malware related news I see are related to users being affected by it (then security firms do their analysis whatever) ...

show 1 reply