I clicked the link like a genius :)

osa1 4 days ago | parent | next [-]

I don't understand. The link could've come from anywhere (for example from a HN comment). How does just clicking on it give your package credentials to someone else? Is NPM also at fault here? I'd naively think that this shouldn't be possible.

For example, GitHub asks for 2FA when I change certain repo settings (or when deleting a repo etc.) even when I'm logged in. Maybe NPM needs to do the same?

▲

dboreham 4 days ago | parent | next [-]

OP entered their credentials and TOTP code, which the attacker proxied to the real npmjs.com

FWIW npmjs does support FIDO2 including hard tokens like Yubikey.

They do not force re-auth when issuing an access token with publish rights, which is probably how the attackers compromised the packages. iirc GitHub does force re-auth when you request an access token.

	▲	osa1 4 days ago \| parent [-]
		> They do not force re-auth when issuing an access token with publish rights, which is probably how the attackers compromised the packages I'm surprised by this. Yeah, GitHub definitely forces you to re-auth when accessing certain settings.

▲

koil 4 days ago | parent | prev | next [-]

As OC mentioned elsewhere, it was a targeted TOTP proxy attack.

▲

hughw 4 days ago | parent [-]

So, he clicked the link and then entered his correct TOTP? how would manually typing the url instead of clicking the link have mitigated this?

	▲	Mogzol 4 days ago \| parent [-]
		They wouldn't have manually typed the exact URL from the email, they would have just typed in npmjs.com which would ensure they ended up on the real NPM site. Or even if they did type out the exact URL from the email, it would have made them much more likely to notice that it was not the real NPM URL.

▲

4 days ago | parent | prev [-]

[deleted]

▲

alexellisuk 4 days ago | parent | prev [-]

:-( How did the link hijack your password/2fa? Or did you also enter some stuff on the form?