I don't understand. The link could've come from anywhere (for example from a HN comment). How does just clicking on it give your package credentials to someone else? Is NPM also at fault here? I'd naively think that this shouldn't be possible.
For example, GitHub asks for 2FA when I change certain repo settings (or when deleting a repo etc.) even when I'm logged in. Maybe NPM needs to do the same?
https://mailtrap.io/contact-details/
let's see the header of interest:
what about it?
How did simply opening this email in something like Gmail or a desktop client result in it being able to compromise NPM packages under your control?
I'm just curious - and as a word of warning to others so we can learn. I may be missing some details, I've read most of the comments on the page.
I clicked the link like a genius :)
I don't understand. The link could've come from anywhere (for example from a HN comment). How does just clicking on it give your package credentials to someone else? Is NPM also at fault here? I'd naively think that this shouldn't be possible.
For example, GitHub asks for 2FA when I change certain repo settings (or when deleting a repo etc.) even when I'm logged in. Maybe NPM needs to do the same?
6 replies →
:-( How did the link hijack your password/2fa? Or did you also enter some stuff on the form?