It is not a one-in-a-million opportunity though. I hate to take this to the next level, but as criminal elements wake up to the fact that a few "geeks" can possibly get them access to millions of dollars expect much worse to come. As a maintainer of any code that could gain bad guys access, I would be seriously considering how well my physical identity is hidden on-line.

▲

SchemaLoad 3 days ago | parent | next [-]

This is why banks make you approve transactions on your phone now. The fact that a random NPM package can redirect your money is a massive issue

	▲	cxr 10 hours ago \| parent [-]
		This attack was enabled by the normalization of orgs' aggressive 2FA postures.

▲

jongjong 3 days ago | parent | prev | next [-]

I just made a very similar comment. Spot on. It's laughable to think that this trivial opportunity that literally any developer could pull off with a couple of thousand dollars is a one-in-a-million. North Korea probably has enough money to buy up a significant percentage of all popular npm dependencies and most people would sell willingly and unwittingly.

In the case of North Korea, it's really crazy because hackers over there can do this legally in their own country, with the support of their government!

And most popular npm developers are broke.

	▲	tonyhart7 3 days ago \| parent [-]
		actually, unless you are billionaire or high profile individual You wouldn't get targeted not because they cant but its not worth it many state sponsored attack is well documented in a lot of book that people can read they don't want to add much record because its create buzz

▲

pixl97 3 days ago | parent | prev [-]

As foretold by the prophet

https://xkcd.com/538/