| Ignore anything coming from npm you didn't expect. Don't click links, go to the website directly and address it there. That's what I should have done, and didn't because I was in a rush. Don't do security things when you're not fully awake, too. Lesson learned. The email was a "2FA update" email telling me it's been 12 months since I updated 2FA. That should have been a red flag but I've seen similarly dumb things coming from well-intentioned sites before. Since npm has historically been in contact about new security enhancements, this didn't smell particularly unbelievable to my nose. The email went to the npm-specific inbox, which is another way I can verify them. That address can be queried publicly but I don't generally count on spammers to find that one but instead look at git addresses etc The domain name was `npmjs dot help` which obviously should have caught my eye, and would have if I was a bit more awake. The actual in-email link matched what I'd expect on npm's actual site, too. I'm still trying to work out exactly how they got access. They didn't technically get a real 2FA code from the actual, I don't believe. EDIT: Yeah they did, nevermind. Was a TOTP proxy attack, or whatever you'd call it. Will post a post-mortem when everything is said and done. |
| |
| ▲ | dboreham 4 days ago | parent | next [-] | | I see (I think): they tricked you into entering a TOTP code into their site, which they then proxied to the real names, thereby authenticating as your account. Is that correct? | | |
| ▲ | sugarpimpdorsey 4 days ago | parent | next [-] | | It only proves that TOTP is useless against phishing. | | |
| ▲ | goku12 4 days ago | parent | next [-] | | Every day brings me another reason to ask the question: "Why the hell did they throw away the idea of mutual TLS?". They then went onto invent mobile OTP, HOTP, TOTP, FIDO-U2F and finally came a full cycle by reinventing the same concept, but in a more complex incarnation - Passkeys. | | |
| ▲ | tpxl 4 days ago | parent | next [-] | | Works this way for my government and my bank. I was given a cert matching my real name and the login just asks for my cert and pulls me through (with additional 2FA for the bank). Pretty amazing if you ask me. | | |
| ▲ | goku12 4 days ago | parent [-] | | Which government is this, if I may ask? | | |
| ▲ | SahAssar 4 days ago | parent [-] | | I'm going to guess estonia which has had this since mid 2000's IIRC. | | |
| ▲ | jve 3 days ago | parent [-] | | Latvia has it too. We have ID cards which is a smartcard, we use that to set up some authentication app that allows us to authenticate within online services and can even do remotely transactions like selling the house (well that is the extreme case and one needs to connect to teams meeting and show your face and have high quality video/connection and show your id card, along with digital auth). But anyways, it is used all around the place, many many sites support that auth, the banks support it and even remote auth scenarios are possible. Just today was calling mobile operator support and they had to verify me - so after saying my ID, an auth request pops up from app that asks to verify identity to mobile operator (app shows who is asking for auth). Authentications are separated and if some signature must be placed or money to be sent, you must use other access code and the app shows the intention of what are you authorizing. If it is money being sent, you see where and how much you want to sent before you approve this request on the app. But the app is all tied to digital identity from the id card in the first place - to set up these strong authentication guarantees in the first place you use your ID card. Some time ago we had to use computer with smartcard reader to set it up, nowdays I dunno whether it is NFC or something, but the mobile phone can read the ID card. |
|
|
| |
| ▲ | mschuster91 4 days ago | parent | prev | next [-] | | the UI for client side certificates was shit for years. no one particularly cared. passkeys however are... pretty reasonable. | | |
| ▲ | xorcist 4 days ago | parent | next [-] | | That's just it. If any of the browser vendors put 1% of the work they spent on renewing their visual identity, remodeling their home page, or inventing yet another menu system into slightly easier to use client certificates (and smart cards) this would have been a solved problem two decades ago. All the pieces are in place, every browser has supported this since the birth of SSL, it's just the user interface bits that are missing. It's nothing short of amazing that nobody worked on this. It's not as if there isn't a need. Everyone with high security requirements (defense, banks etc.) already do this, but this clumsy plugins and (semi-)proprietary software. Instead we get the nth iteration of settings redesigns. | | | |
| ▲ | goku12 4 days ago | parent | prev | next [-] | | > the UI for client side certificates was shit for years. no one particularly cared. That's exactly what I mean! Who would use it if the UI/UX is terrible? Many Gemini (protocol) browsers like Lagrange have such pleasant UIs for it, though somewhat minimal. With sufficient push, you could have used mutual TLS from even hardware tokens. | |
| ▲ | 4 days ago | parent | prev | next [-] | | [deleted] | |
| ▲ | chuckadams 4 days ago | parent | prev [-] | | At least on a Mac, you can just double-click a cert file, it'll prompt to install in Keychain, and anything using macOS's TLS implementation will see it. | | |
| ▲ | goku12 3 days ago | parent [-] | | And what about the browser? How does it know which client cert (I assume the key is also there) to use for a site? Does it prompt you before proceeding with authentication? | | |
| ▲ | chuckadams 3 days ago | parent [-] | | The domains the cert gets presented to is also configured in Keychain, and Safari uses it. Looks like Firefox has its own thing, buried several layers deep in settings. No idea about chrome. It's definitely a process you'd want to script in an installer, nothing you'd want to subject the end user to. So yeah, still pretty crap UX overall. |
|
|
| |
| ▲ | 4 days ago | parent | prev | next [-] | | [deleted] | |
| ▲ | quotemstr 4 days ago | parent | prev [-] | | Because the tech industry egregore is a middling LLM that gets it context window compacted every generation. |
| |
| ▲ | ksdnjweusdnkl21 4 days ago | parent | prev | next [-] | | TOTP isnt designed to be against phishing. Its against weak, leaked or cracked passwords. | | |
| ▲ | Scoundreller 4 days ago | parent | next [-] | | Lots of junk TOTP apps in app stores. Once heard of a user putting in a helpdesk ticket asking why they had to pay for the TOTP app. Then I realize their TOTP seed is probably out in the open now. I’m sure we can imagine how else this could go badly… | |
| ▲ | 4 days ago | parent | prev [-] | | [deleted] |
| |
| ▲ | patrakov 2 days ago | parent | prev | next [-] | | No. It only proves that TOTP, as implemented by mobile apps, is useless against phishing. The extension from https://authenticator.cc, with smart domain match enabled, would have caught this by showing all other TOTP codes besides the one intended by NPM. On a Mac, Keychain would also have caught this by not autofilling: https://support.apple.com/en-ph/guide/passwords/mchl873a6e72... | |
| ▲ | dboreham 4 days ago | parent | prev [-] | | Yes. This attack would not have worked if FIDO2 (or the software emulation Passkey) had been used. |
| |
| ▲ | junon 4 days ago | parent | prev [-] | | Seems so, yes. |
| |
| ▲ | jvuygbbkuurx 4 days ago | parent | prev | next [-] | | Did they also phish the login password after clicking the link or did they already have it? | | |
| ▲ | junon 4 days ago | parent [-] | | They phished username, password (unique to npm), and a TOTP code. They even gave me a new TOTP code to install (lol) and it worked. Showed up in authy fine. Whoever made this put a ton of effort into it. | | |
| ▲ | scratchyone 4 days ago | parent | next [-] | | Damn, that's an impressively well-done attack. Curious, do you use a password manager? If so, did it not autofilling feel like a red flag to you? I've always wondered if I ever get phished if I'll notice bc of that or if I'll just go "ugh 1password isn't working, guess i'll paste my password in manually" and end up pwned | | |
| ▲ | junon 4 days ago | parent | next [-] | | I was on mobile, didn't use the autofiller. Also previous experience with the web extensions showed me that they were flakey at best anyway. The `.help` should have been the biggest red flag, followed by the 48-hours request timeline. I wasn't thinking about things like I normally would this morning and just wanted to get things done today. Been a particularly stressful week, not that it's any excuse. | |
| ▲ | nixosbestos 4 days ago | parent | prev [-] | | I'm thinking on what all the anti-passkey folks have to say right now. Or the "password managers aren't necessary" crowd. |
| |
| ▲ | 4 days ago | parent | prev [-] | | [deleted] |
|
| |
| ▲ | mkfs 3 days ago | parent | prev | next [-] | | > because I was in a rush That's how they get you. | |
| ▲ | tadamcz 4 days ago | parent | prev | next [-] | | Using a security key as 2FA instead of TOTP would have prevented this attack, right? If you maintain popular open source packages for the love of God get yourself a couple of security keys. | | |
| ▲ | SahAssar 4 days ago | parent [-] | | Well, that would also require all the services to support webauthn/FIDO, which a lot of them don't. Some who do support it only allow one key or trivial bypass via "security questions". |
| |
| ▲ | sugarpimpdorsey 4 days ago | parent | prev [-] | | > The domain name was `npmjs dot help` which obviously should have caught my eye, and would have if I was a bit more awake. It's a good thing the WebPKI cartel mostly did away with EV certs.... these days any old cert where only the SAN matches the domain and your browser gives a warm fuzzy "you're secure!" | | |
| ▲ | mananaysiempre 4 days ago | parent | next [-] | | The browsers mostly did away with EV certs[1], against sustained pushback from CAs, because of research invariably showing that the feeling of security is mostly unfounded. (Both because users are garbage at reading security indicators—and unscrupulous companies are eager to take advantage of that, see Cloudflare’s “security of your connection”—and because the legal-name namespace is much more Byzantine and locale-dependent than any layman can parse[2].) By contrast, OV certs, which were originally supposed a very similar level of assurance, were did away with by CAs themselves, by cost-optimizing the verification requirements into virtual nonexistence. That said, it remains a perpetual struggle to get people to understand the difference between being connected to the legitimate operator of satan.example (something an Internet-wide system mostly can guarantee) and it being wise to transact there (something extensive experience shows it can’t and shouldn’t try to). And if you’re a domain owner, your domain is your identity; pick one and stick to it. Stackoverflow.blog is stupid, don’t be like stackoverflow.blog. [1] https://www.troyhunt.com/extended-validation-certificates-ar... [2] https://arstechnica.com/information-technology/2017/12/nope-... | | |
| ▲ | sugarpimpdorsey 4 days ago | parent [-] | | > That said, it remains a perpetual struggle to get people to understand the difference between being connected to the legitimate operator of satan.example That's because the browser implementers gave up on trying to solve the identity problem. It's too difficult they said, we'd rather push other things. Google implemented certificate pinning in Chrome for themselves and a few friends, said fuck everyone else, and declared the problem solved. Who cares about everyone else when your own properties are protected and you control the browser? Meanwhile the average user has no idea what a certificate does, whether it does or doesn't prove identity. No wonder they removed the lock icon from the browser. | | |
| |
| ▲ | Kwpolska 4 days ago | parent | prev [-] | | People never paid attention to the special EV cert markers. And even if they did, what would stop someone from registering a company named "npm, Inc." and buying an EV cert for it? Sure, it’s going to cost some money upfront, but you can make much more by stealing cleptocurrency. |
|
|
| |
| ▲ | ziml77 4 days ago | parent | next [-] | | After nearly being phished once (only having a confirmation email save me) I've taken to being extra vigilant if I don't get a password entry suggestion from my password manager. It means I need to be extremely damn sure I'm on a domain that is controlled by the same entity my account is with. So far I haven't had another incident like that and I hope to keep it that way. | |
| ▲ | withinboredom 4 days ago | parent | prev [-] | | This isn’t exactly true. My password manager fails to recognise the domain I’m on, all the time. I have to go search for it and then copy/paste it in. That being said, if you’re making login pages: please, for the love of god, test them with multiple password managers. Oh, and make sure they also work correctly with the browser’s autotranslation. Don’t rely on the label to make form submission decisions ... please. | | |
| ▲ | diggan 4 days ago | parent [-] | | > This isn’t exactly true. My password manager fails to recognise the domain I’m on, all the time. I have to go search for it and then copy/paste it in. I'd probably go looking for a new password manager if it fails to do one of the basic features they exist for, copy-pasting passwords defeats a lot of the purpose :) > That being said, if you’re making login pages I think we're doomed on this front already. My previous bank still (in 2025!) only allows 6 numbers as the online portal login password, no letters or special characters allowed, and you cannot paste in the field so no password manager works with their login fields, the future is great :) | | |
| ▲ | withinboredom 4 days ago | parent [-] | | > I'd probably go looking for a new password manager if it fails to do one of the basic features they exist for, copy-pasting passwords defeats a lot of the purpose :) This isn’t the fault of the password managers themselves, but devs not putting the right metadata on their login forms, or havo the password field show only after putting in the email address, causing the password input to fail to be filled, etc. | | |
| ▲ | sunaookami 3 days ago | parent | next [-] | | Then get a good password manager that matches the domain and triple-check if it's a new domain. If your password manager shows you your npm login for npmjs.com and you are suddenly on a new domain and your password manager doesn't show logins, you will notice. | | |
| ▲ | Macha 3 days ago | parent [-] | | I've noticed failure to fill the right fields (or any fields) on Lastpass, 1Password, Bitwarden and the KeepassXC browser extension. What is your mythical "good password manager"? | | |
| ▲ | diggan 3 days ago | parent [-] | | I'm using 1Password+Firefox+Linux, it fails to find the right username+passwords maybe 10% of the time, mostly because services keep using different domains for login than for signup, so it doesn't recognize it's a valid domain. In those cases, I carefully review the new domain, make sure it belongs to the right owner, then add it to the list of domains to accept. Now the account list properly show up in the future too, until they again change it. But it gives me a moment to pause and reflect before just moving past it. I cannot remember any times in the last years where 1Password was 100% unable to fill out the username/password for a website unless the website itself prevented pasting passwords (like my old bank). But even if it fills the wrong fields, it still provides safety as you wouldn't even see the accounts in the list if you're on the wrong domain, so that's your first warning sign. |
|
| |
| ▲ | aaronharnly 4 days ago | parent | prev [-] | | or switching to some generic-sounding domain during login | | |
| ▲ | sunaookami 3 days ago | parent [-] | | Good password managers can match subdomains, substrings, "url starts with", etc. There is no excuse. |
|
|
|
|
|
