Skip to content
← Blog

Technical explainer

The npm zero-day window: why threat feeds can't protect you during the first hours

Veln Team2 min read

When security teams talk about protecting against supply chain attacks, they usually talk about tools that scan dependencies against known vulnerability databases. Snyk. Dependabot. GitHub security alerts.

These tools work. But they have a fundamental constraint that is rarely discussed plainly: they only protect you against threats that have already been discovered, catalogued, and published to a database. Against a brand-new attack, they provide no protection during the window between publication and detection — a window that often lasts hours, and sometimes days.

This is the zero-day window. It is not a product failure. It is an architectural constraint.

How threat feeds work

A threat feed is a database of known-malicious package names and versions. When a malicious package is discovered, a researcher or an automated system identifies it, analyzes it, writes up the finding, submits it to a vulnerability database, a reviewer processes the submission, and the finding propagates to scanning tools.

In practice this cycle is fast for high-profile packages and slow for everything else — typically several hours, sometimes longer.

What closes the window

Pinned lockfiles with hash verification. If every package version is pinned to a specific hash in a lockfile, a newly published malicious version cannot replace the legitimate one.

Cooling periods. Refusing to install any package version published less than N hours ago means you are never in the first wave.

Integrity fingerprinting. A local signed database of every (package, version) you have ever installed catches the case where the same version silently changes bytes, maintainers, or file layout between installs — visible immediately on the next install attempt.

Veln implements all three: lockfile enforcement, configurable cooling periods, and a signed local integrity store. If a malicious version is published at 14:00 and your team's install runs at 14:02, Veln holds the install with a message explaining that the version is 2 minutes old and below the configured cooling threshold.

Veln closes the zero-day window with cooling periods and integrity fingerprinting. No threat feed required.

More in Technical explainer

Bring Veln to your team: open the Veln Console to create an organization and license, then install and activate the agent on the machines where you build.

Create a Console account