←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 1 comments | 27 Aug 25 01:38 UTC | HN request time: 0.201s | source
Show context
andix ◴[27 Aug 25 18:59 UTC] No.45043591[source]
Are there any package managers that have something like a min-age setting. To ignore all packages that were published less than 24 or 36 hours ago?

I’ve run into similar issues before, some package update that broke everything, only to get pulled/patched a few hours later.

replies(5): >>45043774 #>>45043852 #>>45045196 #>>45045198 #>>45047987 #
jefozabuss ◴[27 Aug 25 19:20 UTC] No.45043852[source]
I just use .npmrc with save-exact=true + lockfile + manual updates, you can't be too careful and you don't need to update packages that often tbh.

Especially after the fakerjs (and other) things.

replies(1): >>45043937 #
1. andix ◴[27 Aug 25 19:26 UTC] No.45043937[source]
But you're still updating at some point. Usually to the latest version. If you're unlucky, you are the first victim, a few seconds after the package was published. (Edit: on a popular package there will always be a first victim somewhere in the first few minutes)

Many of those supply chain attacks are detected within the first few hours, I guess nowadays there are even some companies out there, that run automated analysis on every new version of major packages. Also contributors/maintainers might notice something like that quickly, if they didn't plan that release and it suddenly appears.