nproxy/Documentation
Dashboard

First Seen

The first-seen rule blocks packages that were first published to the registry within a configurable quarantine period. This gives the security community time to discover and flag malicious packages before they reach your developers.

What it detects

This rule catches brand-new package names -- not new versions of established packages. When a package is first created on npm within the last N days (default: 7), all of its versions are blocked.

This is an important distinction. If express publishes a new version today, the first-seen rule does not trigger because the express package has existed for years. But if expres (a typosquat) is created today, the first-seen rule blocks it.

How it works

  1. When a package is requested, nproxy reads the time.created field from the packument
  2. If the package was first created within the quarantine window (default: 7 days ago), all versions are flagged
  3. In block mode, all versions are stripped from the packument (the package is effectively unavailable). In warn mode, the install proceeds normally but a warning is logged

The quarantine window is calculated as: current time - (days * 24 * 60 * 60 * 1000).

Configuration

SettingValue
Default level (Free)off
Default level (Pro)block
Parameter: daysNumber of days in the quarantine window. Default: 7

Adjusting the quarantine period

Set the days parameter in the dashboard under Rules > First Seen:

  • 7 days (default) -- Balanced protection. Most malicious packages are flagged within a week.
  • 14 days -- Stricter. Provides more time for community vetting.
  • 3 days -- More permissive. Useful if your team frequently adopts new packages.
  • 0 days -- Effectively disabled (same as setting the rule to off).

Real-world examples

This rule would have caught:

  • crossenv (2017) -- Typosquat of cross-env that stole environment variables. The package was brand new and would have been quarantined.
  • @typescript_eslinter/eslint (2024) -- Fake scope mimicking @typescript-eslint that downloaded a trojan. The package was brand new.

Limitations

  • This rule only checks when the package was created, not when individual versions were published. A package that has existed for a year can publish a new malicious version and this rule will not catch it. That is the job of the malware and publisher change rules.
  • The rule depends on the time.created field being present in the packument. If this field is missing, the rule returns no results.

Block for Pro and Enterprise teams. The 7-day quarantine catches the vast majority of typosquats and quick-hit supply chain attacks with minimal disruption to developers, since it only affects packages they have never used before.