Cool down your dependencies 0 ▲ Thoughts and stuff 20 days ago · Tech · hide · 0 comments There have been a lot of supply-chain attacks going around recently. Someone nefarious gets control of the publish rights of a piece of software we use to build other software, a library or a dev tool, and push out a version with a malicious payload. The payload usually moves fast: it spreads itself and / or extracts secrets like keys and crypto wallets as soon as it is installed. Some attacks even identify any publishing rights they can get and push malicious versions to other packages. The speed of these attacks is frightening, but also a clear signal that makes people react. The attacks are usually spotted and pulled within hours. This means that the attacks have a narrow window. A study of ten prominent attacks found eight of the ten had a window of opportunity under a week. By not immediately installing the newest version on the day it is published you protect yourself from most attacks. A valid mitigation is a “cooldown”, “minimum release age” or “delay”: tell your tooling to… No comments yet. Log in to reply on the Fediverse. Comments will appear here.