> But right now there are still no signed dependencies Considering these attacks... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		cube00 6 months ago \| parent \| context \| favorite \| on: Oh no, not again a meditation on NPM supply chain ... > But right now there are still no signed dependencies Considering these attacks are stealing API tokens by running code on developer's machines; I don't see how signing helps, attackers will just steal the private keys and sign their malware with those.

deevus 6 months ago [–]

Could they detect code running from a new IP address or location and ask for a 2FA code?

cube00 6 months ago | [–]

postinstall is running on the developer's machine, from an endpoint security perspective, it's the actual developer performing the malicious actions, their machine, their IP address and their location.

deevus 6 months ago | | [–]

That's a good point. Thanks

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact