| ▲ | _fat_santa 4 days ago |
| I know this isn't really possible for smaller guys but larger players (like NPM) really should buy up all the TLD versions of "npm" (that is: npm.io, npm.sh, npm.help, etc). One of the reasons this was so effective is that the attacker managed to snap up "npm.help" |
|
| ▲ | quectophoton 4 days ago | parent | next [-] |
| Then you have companies like AWS, they were sending invoices from `no-reply-aws@amazon.com` but last month they changed it to `no-reply@tax-and-invoicing.us-east-1.amazonaws.com`. That looks like a phishing attempt from someone using a random EC2 instance or something, but apparently it's legit. I think. Even the "heads-up" email they sent beforehand looked like phishing, so I was waiting for the actual invoice to see if they really started using that address, but even now I'm not opening these attached PDFs. These companies tell customers to be suspicious of phishing attempts, and then they pull these stunts. |
| |
| ▲ | simoncion 4 days ago | parent | next [-] | | > These companies tell customers to be suspicious of phishing attempts, and then they pull these stunts. Yep. At every BigCo I've worked at, nearly all of the emails from Corporate have been indistinguishable from phishing. Sometimes, they're actual spam! Do the executives and directors responsible for sending these messages care? No. They never do, and get super defensive and self-righteous when you show them exactly how their precious emails tick every "This message is phishing!" box in the mandatory annual phishing-detection-and-resistance training. | | |
| ▲ | cyphar 4 days ago | parent | next [-] | | A few years ago our annual corporate phishing training was initiated by an email sent from a random address asking us to log in with our internal credentials on a random website. A week later some executive pushing the training emailed the entire company saying that it was unacceptable that nobody from engineering had logged into the training site and spun some story about regulatory requirements. After lots of back and forth they still wouldn't accept that it obviously looked like a phishing email. Eventually when we actually did the training, it literally told us to check the From address of emails. I sometimes wonder if it was some weird kind of performance art. | | |
| ▲ | ornornor 3 days ago | parent | next [-] | | It’s all just box ticking and CYA compliance. “We got pwned but the entire company went through a certified phishing awareness program and we have a DPI firewall. Nothing more we could have done, we’re not liable.” | | |
| ▲ | cyphar 3 days ago | parent [-] | | I agree, but I really wonder where on earth they find these people. | | |
| ▲ | simoncion 3 days ago | parent [-] | | If you're talking about the companies who provide the "training", either they're the lowest bidder, closely linked to someone who is buddies with someone important in the company [0], or both. [0] ...so the payments serve the social function of enriching your buddy and improving your status in the whole favor economy thing... |
|
| |
| ▲ | apple1417 3 days ago | parent | prev | next [-] | | I once got a "log into phishing training" email which spoofed the company address. No one even saw the email, it instantly hit the spam filter. Our infra guy then had to argue with them for quite a while to just email from their own domain, and that no, we're weren't going to add their cert to our DNS, and let a third party spoof us (or however that works, idk). Absolutely shocking lack of self awareness. | | |
| ▲ | darthwalsh 2 days ago | parent [-] | | When they send out the phishing-simulation email campaign from the "compromised insider account" it's going to fool a lot more people! |
| |
| ▲ | wiseleo 3 days ago | parent | prev | next [-] | | I can't pass phishing training on my first try because it often has bad advice as answers they are convinced are correct. Reading headers is one of such gems. | |
| ▲ | lovich 3 days ago | parent | prev [-] | | If Kevin mitnick shows up or is referenced then I’m pretty sure it’s performance art | | |
| ▲ | cyphar 3 days ago | parent [-] | | If only, it would've been an honour to get phished by Mitnick. Rest in peace... | | |
| ▲ | lovich 2 days ago | parent [-] | | Years of useless knowB4 trainings with him in the video have given me a twitch whenever I hear him referenced |
|
|
| |
| ▲ | Macha 3 days ago | parent | prev | next [-] | | I remember an email I once got. Title: "Expense report overdue - Please fill now" Subject: <empty body> <Link to document trying it's best to look like google's attachment icon but was actually a hyperlink to a site that asked me to log in with my corporate credentials> --- So like, obviously this is a stupid phishing email, right? Especially as at this time, I had not used my corporate card. A few weeks later I got the finance team reaching out threatening to cancel my corporate card because I had charges on it with no corresponding expense report filed. So on checking the charge history for the corporate card, it was the annual tax payment that all cards are charged in my country every year, and finance should have been well aware of. Of course, then the expense system initially rejected my report because I couldn't provide a receipt, as the card provider automatically deducts this charge with no manual action on the card owner's side... | |
| ▲ | mhh__ 3 days ago | parent | prev [-] | | Yielding to anything you say is a no-no because part of the deal is that you, as a geek, must bend over to their unilateral veto over everything in the company |
| |
| ▲ | charlieyu1 4 days ago | parent | prev [-] | | I thought facebookmail.com was fake. No, it is actually legit | | |
| ▲ | jowea 3 days ago | parent [-] | | Is that for user email? I think that is semi-understandable as Facebook wouldn't want to mix their authority with that of the users, like github.com vs github.io. Edit: nvm it seems it's not the case |
|
|
|
| ▲ | VectorLock 4 days ago | parent | prev | next [-] |
| There's like 1500 TLDs, now some of them are restricted and country-code TLDs but now it makes me wonder how much it would actual cost per year to maintain registration of every non-restricted TLD. I'm sure theres some SaaS company that'll do it. |
| |
| ▲ | saghm 4 days ago | parent [-] | | OTOH, doesn't ICANN already sometimes restrict who has access to a given TLD? Would it really be that crazy for them to say "maybe we shouldn't let registrars sell npm.<TLD> regardless of the TLD", and likewise for a couple dozen of the most obvious targets (google., amazon., etc.)? No one needs to pay for these domains if no one is selling them in the first place. I don't love the idea of special treatment for giant companies in terms of domains, but we're already kind of there with the whole process they did when initially allowing companies to compete for exclusive access to TLDs, so we might as well use that process for something actually useful (unlike, say, letting companies apply for exclusive ownership of ".music" and have a whole legal process to determine that maybe that isn't actually beneficial for the internet as whole: https://en.wikipedia.org/wiki/.music) | | |
| ▲ | VectorLock 4 days ago | parent | next [-] | | The TLDs run the whole gamut from completely open to almost impossible to get. | |
| ▲ | ohdeargodno 4 days ago | parent | prev [-] | | >maybe we shouldn't let registrars sell npm.<TLD> regardless of the TLD Cool, get big enough, become friends with the right people and you can squat an entire name on the internet. What, you're the Nepalese Party for Marxists, you've existed for 70 years and you want to buy npm.np ? Nope, tough luck, some random dude pushes shitty javascript packages over there. Sorry for the existing npm.org address too, we're going to expropriate the National Association of Pastoral Musicians. Dare I remind you that the whole left-pad situation was because Kik, the company, stole (with NPM's assistance because they were big enough and friends with the right people) the kik package ? At least they're paying dozens of millions to buy a shitty ass .google that noone cares about because more and more browsers are hiding the URL bar. I'm glad ICANN can use it to buy drinks, hookers instead of being useful. | | |
| ▲ | jjani 3 days ago | parent | next [-] | | > Dare I remind you that the whole left-pad situation was because Kik, the company, stole (with NPM's assistance because they were big enough and friends with the right people) the kik package ? And then never even did anything with it. | |
| ▲ | saghm 3 days ago | parent | prev [-] | | > Cool, get big enough, become friends with the right people and you can squat an entire name on the internet. What, you're the Nepalese Party for Marxists, you've existed for 70 years and you want to buy npm.np ? I think you and I have drastically different ideas about how dramatic a response is warranted by the scenario of needing to buy a domain with a different three letters or maybe even four or more letters before the TLD. > Dare I remind you that the whole left-pad situation was because Kik, the company, stole (with NPM's assistance because they were big enough and friends with the right people) the kik package ? ...and then the package was entirely removed, which would have been preventable by sane policies around making removal just not allow new dependencies to use it. You're also conflating a resource that's ostensibly free and perpetual for people to claim with one that's only rented for fixed periods of time for money. | | |
|
|
|
|
| ▲ | osmsucks 3 days ago | parent | prev | next [-] |
| There are way too many TLDs for this to be even practical: https://data.iana.org/TLD/tlds-alpha-by-domain.txt I agree that especially larger players should be proactive and register all similar-sounding TLDs to mitigate such phishing attacks, but they can't be outright prevented this way. |
|
| ▲ | IncreasePosts 4 days ago | parent | prev | next [-] |
| That seems like a bad idea compared to just having a canonical domain - people might become used to seeing "npm.<whatever>" and assuming it is legit. And then all it takes is one new TLD where NPM is a little late registering for someone to do something nefarious with the domain. |
| |
| ▲ | macintux 4 days ago | parent [-] | | Just because you buy them doesn't mean that you have to use them. Squatting on them is no more harmful (except financially) than leaving them available for potentially hostile 3rd parties. | | |
| ▲ | IncreasePosts 4 days ago | parent [-] | | Sure, I guess buying up every npm.* you can find and then having a message "never use this, only use npm.com" could work. I thought OP was saying have every npm.* site be a mirror of the canonical site | | |
| ▲ | barnas2 4 days ago | parent [-] | | Looks like it costs ~$200,000 to get your own TLD. If a bunch of companies started doing the "register every TLD of our brand", I wonder what the breakeven point would be where just registering a TLD is profitable. |
|
|
|
|
| ▲ | jacobsenscott 4 days ago | parent | prev | next [-] |
| This won't work - npm.* npmjs.* npmjs-help.* npm-help.* node.* js.* npmpackage.*. The list is endless. You can't protect against people clicking links in emails in this way. You might say `npmjs-help.ph` is a phishy domain, but npmjs.help is a phishy domain and people clicked it anyway. |
| |
| ▲ | eddythompson80 3 days ago | parent [-] | | there is also the more recent style of phising domains that look like healthcare.gov-profile.co/user |
|
|
| ▲ | karmakaze 3 days ago | parent | prev | next [-] |
| First thing I do is check any domain that I don't recognize as official. Domain: NPMJS.HELP (85 similar domains)
Registrar: Porkbun, LLC (4.84 million domains)
Query Time: 8 Sep 2025 - 4:14 PM UTC [1 DAY BACK] [REFRESH]
Registered: 5th September 2025 [4 days back]
Expiry: 5th September 2026 [11 months, 25 days left]
I'd be suspicious of anything registered with Porkbun discount registrar. 4 days ago, means it's fake.> It sets a deadline a few days in the future. This creates a sense of urgency, and when you combine urgency with being rushed by life, you are much more likely to fall for the phishing link. Any time I feel like I'm being rushed, I check deeper. It would help if everyone's official communications only came from the most well known domain (or subdomain). |
| |
| ▲ | jakubmazanec 3 days ago | parent | next [-] | | > 4 days ago, means it's fake. Heuristics like this one should be performed automatically by the email client. | |
| ▲ | jjani 3 days ago | parent | prev | next [-] | | GoDaddy is in every way a much shadier company yet half the internet is hosted on top of it, would you be okay with them being used? Come on now. | |
| ▲ | galaxy_gas 3 days ago | parent | prev [-] | | while other is reasonable, Porkbun is not "discount" registrar. They often more expensive, and on addition of that, they run quite a number of TLDs |
|
|
| ▲ | joe_the_user 3 days ago | parent | prev | next [-] |
| I don't think that particular measure would help but NPM are the people who brought us the LPad crisis and their wikipedia page has a long string of security failures mentioned on it. Given this, it seems likely their attitude is "we don't care, we don't have to" and their relative success as the world's largest package manager seems to echo that (not that I have any idea whether they make any money). |
|
| ▲ | ozim 4 days ago | parent | prev | next [-] |
| That’s like insane proportion. |
|
| ▲ | croemer 4 days ago | parent | prev [-] |
| npmjs.help not npm.help - the typo is also in the article. |
