| ▲ | dboreham 4 days ago | |
OP entered their credentials and TOTP code, which the attacker proxied to the real npmjs.com FWIW npmjs does support FIDO2 including hard tokens like Yubikey. They do not force re-auth when issuing an access token with publish rights, which is probably how the attackers compromised the packages. iirc GitHub does force re-auth when you request an access token. | ||
| ▲ | osa1 4 days ago | parent [-] | |
> They do not force re-auth when issuing an access token with publish rights, which is probably how the attackers compromised the packages I'm surprised by this. Yeah, GitHub definitely forces you to re-auth when accessing certain settings. | ||