Comment by alexellisuk

3 months ago

How did simply opening this email in something like Gmail or a desktop client result in it being able to compromise NPM packages under your control?

I'm just curious - and as a word of warning to others so we can learn. I may be missing some details, I've read most of the comments on the page.

9 comments

alexellisuk

I clicked the link like a genius :)

osa1 3 months ago
I don't understand. The link could've come from anywhere (for example from a HN comment). How does just clicking on it give your package credentials to someone else? Is NPM also at fault here? I'd naively think that this shouldn't be possible.
For example, GitHub asks for 2FA when I change certain repo settings (or when deleting a repo etc.) even when I'm logged in. Maybe NPM needs to do the same?
- dboreham 3 months ago
  
  OP entered their credentials and TOTP code, which the attacker proxied to the real npmjs.com
  FWIW npmjs does support FIDO2 including hard tokens like Yubikey.
  They do not force re-auth when issuing an access token with publish rights, which is probably how the attackers compromised the packages. iirc GitHub does force re-auth when you request an access token.
  
  1 reply →
- koil 3 months ago
  
  As OC mentioned elsewhere, it was a targeted TOTP proxy attack.
  
  2 replies →
alexellisuk 3 months ago

:-( How did the link hijack your password/2fa? Or did you also enter some stuff on the form?