Did they also phish the login password after clicking the link or did they already have it?

They phished username, password (unique to npm), and a TOTP code.

They even gave me a new TOTP code to install (lol) and it worked. Showed up in authy fine. Whoever made this put a ton of effort into it.

▲

scratchyone 4 days ago | parent | next [-]

Damn, that's an impressively well-done attack. Curious, do you use a password manager? If so, did it not autofilling feel like a red flag to you?

I've always wondered if I ever get phished if I'll notice bc of that or if I'll just go "ugh 1password isn't working, guess i'll paste my password in manually" and end up pwned

	▲	junon 4 days ago \| parent \| next [-]
		I was on mobile, didn't use the autofiller. Also previous experience with the web extensions showed me that they were flakey at best anyway. The `.help` should have been the biggest red flag, followed by the 48-hours request timeline. I wasn't thinking about things like I normally would this morning and just wanted to get things done today. Been a particularly stressful week, not that it's any excuse.
	▲	nixosbestos 4 days ago \| parent \| prev [-]
		I'm thinking on what all the anti-passkey folks have to say right now. Or the "password managers aren't necessary" crowd.

▲

4 days ago | parent | prev [-]

[deleted]