top | item 45171927

(no title)

osa1 | 5 months ago

I don't understand. The link could've come from anywhere (for example from a HN comment). How does just clicking on it give your package credentials to someone else? Is NPM also at fault here? I'd naively think that this shouldn't be possible.

For example, GitHub asks for 2FA when I change certain repo settings (or when deleting a repo etc.) even when I'm logged in. Maybe NPM needs to do the same?

discuss

dboreham|5 months ago

OP entered their credentials and TOTP code, which the attacker proxied to the real npmjs.com

FWIW npmjs does support FIDO2 including hard tokens like Yubikey.

They do not force re-auth when issuing an access token with publish rights, which is probably how the attackers compromised the packages. iirc GitHub does force re-auth when you request an access token.

osa1|5 months ago

> They do not force re-auth when issuing an access token with publish rights, which is probably how the attackers compromised the packages

I'm surprised by this. Yeah, GitHub definitely forces you to re-auth when accessing certain settings.

koil|5 months ago

As OC mentioned elsewhere, it was a targeted TOTP proxy attack.

hughw|5 months ago

So, he clicked the link and then entered his correct TOTP? how would manually typing the url instead of clicking the link have mitigated this?

unknown|5 months ago

[deleted]