Of course, when everyone sets min-release-age=7, supply chain attacks won't get noticed until 7 days later. So you should set min-release-age=14 and be safe forever.
Of course, when everyone sets min-release-age=7, supply chain attacks won't get noticed until 7 days later. So you should set min-release-age=14 and be safe forever.
I chuckled, but in all seriousness, thankfully those individuals and companies who often discover these attacks listen in on every new npm push and analyze it relatively fast. The time to detect is sometimes in minutes in recent months, less than the process of getting npm to remove the packages. Not always but looking at recent ones and advances in latest SOTA models make detection easier than ever. It might change as attackers get more sophisticated.