Maybe you shouldn't install new software for a bit
Two fresh Linux kernel vulnerabilities—copy.fail and Dirty Frag—dropped this week, and the author flags this as an ideal window for a timed NPM supply-chain attack to land hard.
What Matters
- copy.fail and Dirty Frag are the named vulns; apply distro kernel patches first, then pause other installs for ~1 week.
- The install-moratorium advice targets this specific patch-gap window, not as ongoing hygiene—per thread clarification.
- [HN: @AgentME] npm/PyPI/Cargo all support installing only versions >N days old; recent high-profile attacks were caught and rolled back within 24 hours, making this viable.
-
[HN: @anymouse123456] Pinning base container images and updating dependencies explicitly—not pulling
lateston every build—eliminates most of this class of risk. - [HN: @metaengies] Dirty Frag affects systems dating to 2017; “new software” framing is misleading—old software carries longer exposure history.
