| ▲ | feross 5 days ago | |||||||
It was a relay. The fake site forwarded actions to the real npm, so the legit 2FA challenge was triggered by npm and the victim entered the code into the phishing page. The attacker captured it and completed the session, then added an API token and pushed malware. Passkeys or FIDO2 would have failed here because the credential is bound to the real domain and will not sign for npmjs.help. | ||||||||
| ▲ | yawaramin 4 days ago | parent [-] | |||||||
And by 'fail' we mean that passkeys would have successfully prevented the attack. | ||||||||
| ||||||||