But this wasn't even really a spear fishing attack.

It was a generic Phish email you were in every single Corp 101 security course

The attacker did have a great domain name choice, didn’t overuse it to the point where it got on spam block lists, and got them at a moment of distraction, so it worked. It’s really easy to look at something in a training exercise and say “who’d fall for that” without thinking about what happens when you’re not at your best in a calm, focused state.

My main point was simply that the better response isn’t to mock them but to build systems which can’t fail this badly. WebAuthn is great, but you have to go all in if you want to prevent phishing. NPM would also benefit immensely from putting speed bumps and things like code signing requirements in place, but that’s a big usability hit if it’s not carefully implemented.

	▲	typpilol 3 days ago \| parent [-]
		I wouldn't consider a .help domain to be a great choice. Ive literally never for a support email or any email from a .help domain. I'm not mocking them, just trying to understand how so many red flags slipped past. Domain name No auto-fill Unannounced MFA resets Etc... My point is that nothing could have saved this person except extreme security measures. There's literally no conclusion here besides: 1. Lock everything down so extremely that it's extremely inconvenient to prevent mistakes 99% of people don't make. (How many npm packages vs the total have been hijacked, less than 1%) 2. This person was always going to be a victim eventually... And that's a hard pill to swallow. For me and the maintainer. Being in network security it's my actual nightmare scenario. The only lesson to be learned is you need extreme security measures for even the most experienced of internet users. This wasn't your grandma clicking a link, it's a guy who's been around for decades in the online / coding world. It also makes me suspicious but that's a road I'd rather keep myself