| ▲ | polynomial 5 days ago | ||||||||||||||||
Serious question, how did the attacking site (npmjs.help) know the victim's 2fa? ie. How did they know what phone number to send the 2fa request to? | |||||||||||||||||
| ▲ | feross 5 days ago | parent | next [-] | ||||||||||||||||
It was a relay. The fake site forwarded actions to the real npm, so the legit 2FA challenge was triggered by npm and the victim entered the code into the phishing page. The attacker captured it and completed the session, then added an API token and pushed malware. Passkeys or FIDO2 would have failed here because the credential is bound to the real domain and will not sign for npmjs.help. | |||||||||||||||||
| |||||||||||||||||
| ▲ | xx_ns 5 days ago | parent | prev | next [-] | ||||||||||||||||
It acted as a proxy for the real npm site, which was the one to send the request, intercepting the code when the user inserted it. | |||||||||||||||||
| ▲ | 5 days ago | parent | prev [-] | ||||||||||||||||
| [deleted] | |||||||||||||||||