Hacker News new | ask | show | jobs
by AgentME 10 days ago
But there is a second level of people reviewing packages on npm. They're the ones that report issues like the github issue this HN thread is linked to, and they very frequently get malicious npm packages taken down within a day of publishing. The big issue is just that not everyone is using a cooldown to avoid packages less than a day old and so people who install new packages at unlucky times don't get the benefit of that layer of review.
2 comments
saghm 10 days ago
I don't understand why you're confident that those Github issues won't just end up coming later if literally everyone adds this cooldown
link
AgentME 10 days ago
The security companies looking for and reporting the issues aren't going to use the cooldown too.
link
saghm 9 days ago
They make their money from getting paid by other companies though, don't they? It's hard for me not to imagine that companies in general will see "testing stuff a day later" as a way to cut costs or not paying out as much for bounties because of claims that no one was actually affected yet
link
ajross 10 days ago
> they very frequently get malicious npm packages taken down within a day of publishing

If I'm reading the secondarily-linked blog post correctly, this was live for 12 days before discovery.

link
AgentME 9 days ago
No, the reference to May 19 in the article is about a previous supply chain attack against AntV (https://www.stepsecurity.io/blog/shai-hulud-here-we-go-again...). I think there may be some copy-paste mistakes where they reused part of that previous article and didn't contextualize it correctly.

The npm package `@redhat-cloud-services/chrome` version 2.3.1, which was part of this current supply chain attack, was published on June 1. The malicious package version is no longer listed on npmjs.com's web UI since it was taken down, but the publish date of 2.3.1 can still be seen in https://registry.npmjs.org/@redhat-cloud-services/chrome by searching for the version number there, and the publish date was 2026-06-01T10:54:42.121Z.

I find the article extremely annoying for not having a clear timeline of when these malicious package versions were available.

link