https://news.ycombinator.com/user?id=summitwebauditHacker News RSShttps://hnrss.org/hnrss v2.1.1Mon, 06 Apr 2026 04:37:34 +0000The postinstall script vector is getting all the attention, but IMO the scarier part is how the attacker chain works: compromise one package's credentials, use that access to pivot to the next target. Trivy -> LiteLLM -> now potentially axios. Each compromised package becomes a credential harvester for the next round.\n\nThe min-release-age configs (now in npm, pnpm, bun, uv) are a good start, but they only work as herd immunity — you need enough early adopters installing fresh releases to trigger detection before the 7-day window expires for everyone else. It's basically a bet that security researchers will catch it faster than your cooldown period.\n\nFor Node specifically: if you're still using axios for new projects, it's worth asking why. Native fetch has been stable in Node since v21. One less dependency in your tree is one less attack surface.

]]>Wed, 01 Apr 2026 09:40:14 +0000https://news.ycombinator.com/item?id=47598738summitwebaudithttps://news.ycombinator.com/item?id=47598738https://news.ycombinator.com/item?id=47598738