upvote

points

by 0xbadcafebee10 hours ago |
comments
upvoteby tom_alexander9 hours ago|
next
[-]
I think the author was suggesting "wait a week" as a one-time wait for fixes to be written and patches distributed for these specific prematurely-disclosed vulnerabilities, not an on-going suggestion for delaying all updates. But otherwise I agree with you.
reply
upvoteby xena9 hours ago|
parent|
[-]
Yep, that was my intent.
reply
upvoteby Barbing8 hours ago|
parent|
[-]
Oh! Not GP but skimmed too quickly
reply
upvoteby moebrowne1 hours ago|
prev|
next
[-]
> If everyone starts waiting a week, their exploits will wait 2 weeks

It's much easier to break into an NPM/Github account and push malicious commits in the few hours a maintainer is sleeping than it is to push something out and not have it noticed for 2 weeks.

There are lists of attacks which had an exposure window which was much shorter than 2 weeks:

https://daniakash.com/posts/simplest-supply-chain-defense/ https://blog.yossarian.net/2025/11/21/We-should-all-be-using...

reply
upvoteby gpm9 hours ago|
prev|
next
[-]
I think you misunderstood the article. The proposal isn't wait a week after Software has been published before installing it. It's in the next seven days starting now, just don't, because you probably don't have patches for these vulnerabilities and even if you do there's probably more scary vulnerabilities about to be discovered.
reply
upvoteby hnfong4 hours ago|
parent|
[-]
I think it's even more specific.

From TFA:

> Right now would be one of the best times for a supply chain attack via NPM to hit hard.

Given the local kernel root exploits, people pulling npm dependencies have an extra high chance of getting rooted. This includes test systems, build systems, the web server running node.js backend, etc. etc. etc.

This means that there is a significantly greater chance that whatever software you download (not necessarily npm-based) on the internet in these couple days has been unknowingly infected with backdoors, simply due to the fact that the vast majority of servers out there that use npm code have easily exploitable vulnerabilities.

reply
upvoteby Nathanba7 hours ago|
prev|
next
[-]
well then let's wait a month or even two months. The point of the wait period is primarily to avoid the new installation of exploits, not the execution of already installed exploits.
reply
upvoteby chakintosh2 hours ago|
prev|
next
[-]
Yeah, Stuxnet was dormant for a year until execution.
reply
upvoteby whazor8 hours ago|
prev|
next
[-]
A popular package has more exposure. When the artefact is published, the entire world can see it. Hopefully some people check the diff between versions. But without any delays then you could be hit by exploits nobody has seen yet.
reply
upvoteby dnaaun4 hours ago|
prev|
next
[-]
Every dependency compromise that I can remember "in the past few months" were discovered in hours, if not minutes (litllm, axios, bitwarden CLI, Checkmarx docker images, Pytorch lightning, intercom/intercom-php). What's more, the discovery of these compromises did not at all rely on whether the compromises were actively used.

That's why I don't understand:

> If everyone starts waiting a week, their exploits will wait 2 weeks

reply
upvoteby fny9 hours ago|
prev|
[-]
This is why cooldowns have space for patches.
reply