Skip to content
← Blog

Technical explainer

The npm zero-day window: why threat feeds can't protect you during the first hours

Veln Team1 min read

When security teams talk about protecting against supply chain attacks, they usually talk about tools that scan dependencies against known vulnerability databases. Snyk. Dependabot. GitHub security alerts.

These tools work. But they have a fundamental constraint that is rarely discussed plainly: they only protect you against threats that have already been discovered, catalogued, and published to a database. Against a brand-new attack, they provide no protection during the window between publication and detection — a window that often lasts hours, and sometimes days.

This is the zero-day window. It is not a product failure. It is an architectural constraint.

How threat feeds work

A threat feed is a database of known-malicious package names and versions. When a malicious package is discovered, a researcher or an automated system identifies it, analyzes it, writes up the finding, submits it to a vulnerability database, a reviewer processes the submission, and the finding propagates to scanning tools.

In practice this cycle is fast for high-profile packages and slow for everything else — typically several hours, sometimes longer.

What closes the window

Pinned lockfiles with hash verification. If every package version is pinned to a specific hash in a lockfile, a newly published malicious version cannot replace the legitimate one.

Cooling periods. Refusing to install any package version published less than N hours ago means you are never in the first wave.

Community consensus. If a malicious version is served to some users but not others, the hash mismatch becomes visible when comparing against community observations.

Veln implements all three: lockfile enforcement, configurable cooling periods, and community consensus checking. If a malicious version is published at 14:00 and your team's install runs at 14:02, Veln would hold the install with a message explaining that the version is 2 minutes old and has zero community observations.

Veln closes the zero-day window with cooling periods and community consensus. No threat feed required.

More in Technical explainer

Bring Veln to your team: open the Veln Console to create an organization and license, then install and activate the agent on the machines where you build.

Create a Console account