Malware scanning backed into the platform?


(George Fekete) #1

In light of recent news: https://twitter.com/kennwhite/status/1067133581435305984?s=09

I propose that whenever a new package is added / updated an automatic malware scan could be triggered on the repo. This could be one way of mitigating attacks on potentially millions of other repos.


(Daniel Ruf) #2

In general this would not have prevented it as the file only contained encrypted strings.
Now the AV vendors are slowly catching up.
They have great research and test labs and we should not reinvent AV.
But probably cooperate with a great one (or more). Or partner with Google / VT.

See https://github.com/dominictarr/event-stream/issues/116#issuecomment-442180509