On Friday, June 12th, 2026 at 8:31 PM, [email protected] 
<[email protected]> wrote:

> Looking at the attack leveraging a small amount of accounts which are 
> adopting a lot of packages within a very short amount of time, I wonder if a 
> less nuclear solution may be to ratelimit/flag accounts that do so. That way, 
> the bottleneck becomes the speed at which the attacker gains access to AUR 
> accounts or creates them. The regular Captcha protection may be leveraged 
> here.
> 
> I apologize if a similar suggestion was already made.

I definitely agree that some risk modelling can alleviate these mass attacks, 
however, setting up and tuning parameters, then testing that it actually does 
have preventative power, takes time. In my opinion, the direction we should 
take is freeze now, identify current threats (we now have multiple variants 
using other JavaScript package managers), then enact this new model when it's 
ready, as well as other mitigations, since that alone won't be enough.

Reply via email to