Comment by winwang
3 months ago
Just want to agree with everyone who is thanking you for owning up (and so quickly). Got phished once while drunk in college (a long time ago), could have been anyone. NPM being slowish to get back to you is a bit surprising, though. Seems like that would only make attacks more lucrative.
Can happen to anyone… who doesn’t use password manager autofill and unphishable 2FA like passkeys.
Most people who get phished aren’t using password managers, or they would notice that the autofill doesn’t work because the domain is wrong.
Additionally, TOTP 2FA (numeric codes) are phishable; stop using them when U2F/WebAuthn/passkeys are available.
I have never been phished because I follow best practices. Most people don’t.
I use a password manager. I was mobile, the autofill stuff isn't installed as I don't use it often on my phone.
In 15 years of maintaining OSS, I've never been pwned, phished, or anything of the sort.
Thank you for your input :)
I'm angry about this. Large megacorps with the budget of medium-sized countries allocate the minimum amount of budget to maintain their auth systems and still allow the use of phishable auth methods. If npm disabled passwords and forced people to use passkeys, this huge problem just disappears tomorrow.
But instead, we're left with this mess where ordinary developers are forced to deal with the consequences of getting phished.
5 replies →
I never copy and paste passwords. Any time you find yourself wanting to do that, alarm bells should be ringing.
Password managers can’t help you if you don’t use them properly.
Spotify steals (and presumably uploads) your clipboard, as well as other apps. Autofill is your primary defense against phishing, as you (and hopefully some others) learned this week.
3 replies →
sounds like you should use it on your phone then
> In 15 years of maintaining OSS, I've never been pwned, phished, or anything of the sort.
Well, until now.
I just don't get how you didn't look for an announcement about npm resetting 2fa. Especially when you get a random reset
1 reply →
You can use password manager autofill and hardware 2fa and still get phished. All it takes is you rushing, not paying attention, clicking on a link, and logging in (been caught by my own security team doing this). Yes, in an ideal world you're going to be 100% perfect. The world is not ideal, unfortunately. I don't have a solution, but demanding humans behave perfectly in order to remain secure is not a reasonable ask.
I also use WebAuthn where possible but wouldn’t be so cocky. The most likely reason why we haven’t been phished because we haven’t been targeted by a sophisticated attacker.
One side note: most systems make it hard to completely rely on WebAuthn. As long as other options are available, you are likely vulnerable to an attack. It’s often easier than it should be to get a vendor to reset MFA, even for security companies.
But this wasn't even really a spear fishing attack.
It was a generic Phish email you were in every single Corp 101 security course
2 replies →
The failure here was that his password manager was not configured and he manually copied and pasted the credentials into the wrong webpage.
A password manager can’t manage passwords if you don’t configure it and use it.
1 reply →
> I have never been phished because I follow best practices. Most people don’t.
You forgot to mention that you are both highly skilled and practiced at phishing yourself... don't you think that helps too?
in general npm does a not-too-great job with these things
Remember, NPM stands for Now Part of Microsoft!
(Microsoft owns GitHub, which owns NPM.)
Which means they don't have the excuse of being a volunteer effort to not be on top of this. MS has plenty of resources.
1 reply →
[dead]