How to use curation time-delay policies to block package hijacks

This training module explores how a simple time delay policy can effectively defeat package hijacking attacks.
The September 2025 NPM supply chain crisis, which compromised 26 packages including the popular chalk package that was turned into cryptocurrency stealing malware, exploited the critical vulnerability known as the attacker's window.
This window is the lifespan between a malicious package release and its detection, which can last up to 14 days.

Discover how JFrog Curation’s immature package policy proactively eliminates this window by blocking new packages under a set age (such as 14 days). By implementing this measure, organizations preemptively thwart attacks. When a developer requests a blocked package, Curation ensures security without disrupting the workflow by seamlessly substituting it with a safe, older version. Understand how this approach shifts development security from reactive scanning to the power of proactive prevention.

While proactive prevention closes the attacker's window, you need a robust solution when malicious packages, like the chalk crypto clipper malware, bypass initial defenses.

Discover how JFrog Xray acts as a continuous security radar, ensuring that detected malicious components are rapidly identified, and delivering the comprehensive remediation guidance required to cure the software supply chain.