logoalt Hacker News

tabwidthyesterday at 11:12 PM2 repliesview on HN

Most of the malicious ones just curl something in a postinstall script, scanners already catch that. The sneaky ones don't look malicious until they run, and three days may not help.


Replies

MeetingsBrowseryesterday at 11:25 PM

There are plenty of ways to notice a malicious release without observing it running.

Build provenance, maintainer alerts on new releases, tying releases to specific git tags, etc all help.

drdexebtjlyesterday at 11:22 PM

Every single one now will be more sneaky, and we’ll be operating on a 3-day cooldown for no reason.

show 1 reply