Can you attribute this technique to a specific group?

A few years ago, I remember reading about some NFT contract attack that did something similar. So I'm sure it's out there now.

illegally 3 days ago | parent | prev | next [-]

It's not a "group specific" technique.

This is smart, but not really unusual.

pants2 4 days ago | parent | prev [-]

Almost certainly Lazarus

The phishing email comes across a bit too amateur. Specifically the inclusion of:

"we kindly ask that you complete this update your earliest convenience".

	▲	rurban 3 days ago \| parent \| next [-]
		Very amateur. Who would fall that, really? I can only suspect npm people who are used to unprofessional repo hosting practices. Such a Two Factor Authentication update request would have needed a blog post first, to announce such a fishy request.
	▲	huflungdung 4 days ago \| parent \| prev [-]
		[dead]