I live in spain so the main ISP is well provided with IPv4 blocks and have zero incentive to deploy IPv6 outside of mobile networks. So the IPv6 deployment here is like 3% and I don’t have access to it 🫠

How? If you got hit by this you are looking at restoring the system from a safe previous version.

And the compromised versions get pulled, not superseeded by a new release, so once you rebuild you would go back to a safe version…

As long as the bot is not allowed to automatically merge minor version bumps in libraries…

You can mitigate similar attacks by editing your .npmrc

min-release-age=7 # days
ignore-scripts=true

Yes I do. I cooked a small python script that runs at the end of every daily backup

import subprocess
import json
import os

# Output directory
OUTPUT_DIR = "/data/dockerimages"
try:
        os.mkdir(OUTPUT_DIR)
except:
        pass

# Grab all the docker images. Each line a json string defining the image
imagenes = subprocess.Popen(["docker", "images", "--format", "json"], stdout = subprocess.PIPE, stderr = subprocess.DEVNULL).communicate()[0].decode().split("\n")

for imagen in imagenes[:-1]:
        datos = json.loads(imagen)
        # ID of the image to save
        imageid = datos["ID"]
        # Compose the output name like this
        # ghcr.io-immich-app-immich-machine-learning:release:2026-01-28:3c42f025fb7c.tar
        outputname = f"{datos["Repository"]}:{datos["Tag"]}:{datos["CreatedAt"].split(" ")[0]}:{imageid}.tar".replace("/", "-")
        # If the file already exists just skip it
        if not os.path.isfile(f"{OUTPUT_DIR}/{outputname}"):
                print(f"Saving {outputname}...")
                subprocess.run(["docker", "save", imageid, "-o", f"{OUTPUT_DIR}/{outputname}"])
        else:
                print(f"Already exists {outputname}")

26 tho this include multi container services like immich or paperless who have 4 each.