Is 'waiting a few days' an effective defense against supply chain attacks?
IT engineer Cal Patterson discusses in a blog post the pros and cons of waiting several days before incorporating updates to dependent libraries in order to avoid supply chain attacks.
Dependency cooldowns turn you into a free-rider
A supply chain attack targets not the target itself, but the libraries on which the target depends. In April 2026, there was an incident where an attacker purchased a company that develops WordPress plugins, acquired the plugins, and added backdoors to all of them. In this case, updating the plugins would result in a backdoor being installed on the attacker's website.
31 WordPress plugins found to have backdoors, added in updates after ownership transfer - GIGAZINE
Because supply chain attacks affect all applications that use the affected library, they are often detected and fixed within a few days of the attack starting. In the example of the WordPress plugin mentioned above, the plugin distribution was stopped within one day of the attack starting.
One possible solution is to 'wait a few days after the library is updated before incorporating the update.' If the library contains malicious code, someone should be affected and report it during that time. If no one reports it, then the update can be presumed to be harmless.
Regarding this 'wait a few days' approach, Patterson pointed out that it's a free-riding practice that 'relies on the expectation that people who update immediately will become free, unintentional beta testers of the newly released update.' He noted that while it might work on an individual level, it becomes unsustainable when everyone starts waiting a few days.
As an alternative, Patterson proposes introducing an 'upload queue.' Instead of 'waiting several days,' the package manager, which manages the publication and distribution of packages, would separate 'publication' and 'distribution,' first 'publishing' the new package, and then 'distributing' it after waiting several days.
By initially releasing only the update, there is a higher chance that malicious code can be detected through automated scans and external checks before it is actually distributed and causes harm. Furthermore, it provides time to notice if a developer's account is compromised and an update containing malicious code is distributed without their consent.
While the upload queue might appear at first glance to be the same as 'everyone waiting for several days,' it prevents inexperienced users from unintentionally becoming beta testers by using libraries immediately after an update.
Another advantage of the upload queue is that you know in advance when the update will be distributed. Many supply chain attacks involve not only the insertion of malicious code, but also the act of releasing the update itself being fraudulent. Allowing a few days' period after publication makes it easier to verify whether the update was released through a legitimate process.
Furthermore, regarding the maintenance costs of the upload queue, Patterson suggested introducing a rapid review process for commercial projects as a paid service, drawing on examples from Debian projects that have actually implemented an upload queue.
Patterson says that the 'wait a few days' approach is 'not wrong from a personal standpoint,' but concludes his blog by saying that 'implementing it as a community best practice is a completely different matter,' and 'we want to avoid a situation where our own security depends on others being compromised first.'
Related Posts:
in Security, Posted by log1d_ts