They can, but what does it solve? If a malicious package gets pushed, who or wha... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		hashstring 50 days ago \| parent \| context \| favorite \| on: Shai-Hulud Returns: Over 300 NPM Packages Infected They can, but what does it solve? If a malicious package gets pushed, who or what is the equivalent of the CA that you are you going to nuke?

rishabhaiover 50 days ago [–]

I was working with the assumption in this model the attestation is signed by ephemeral keys (OIDC) which would reveal the bad actor or give breadcrumbs. Enough to reduce incentives to hijack packages.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact