Not a security expert but I don’t think that requesting a reset of your 2FA credentials is reasonable.

I would be very worried about my 2FA provider if they asked me to do this.

And so I would not rate this phishing email a 10/10 at all.

Yes, the article's insistence that anyone would have fallen for the phish, and that anyone who disagrees is simply "wrong," is unfortunate. My old corporate phishing training drilled it into my head pretty effectively that you don't follow links in emails if the emails aren't direct responses to actions you've just taken: registering an account, resetting a password, and so forth.

To this day, I don't follow links in other kinds of emails. I mouse over the link to view the domain as a first step in determining how seriously to take the email. If the domain appears to match the known-good one, I copy the link and examine the characters to see if any Unicode lookalikes have been employed.

If the domain seems legitimate, or if I don't recognize it but the email is so convincing that I suspect the company truly is using a different domain (my bank has done this, frustratingly), I still don't click the link. I log in to my account on the known-good domain -- by typing it by hand into the browser's address bar -- and look for notifications.

If there are no notifications, then I might contact the company about the email to verify its authenticity.

If anyone reading thinks that seems like a lot of work, I agree with you! It stinks. But I humbly submit that it's necessary on today's Internet. And it's especially necessary if you're in charge of globally used software libraries.

To adopt the tone of the article's author, if they aren't willing to do that, they're wrong, and they're going to keep getting phished.

▲

hennell 3 days ago | parent | next [-]

Anyone is a literal stretch, but "almost anyone" seems pretty true. How many people do you think follow your very security minded, but quite long-winded practice? 1 in 1000?, 1 in 10,000? 1 in 100,000? Less?

I think the vast vast majority of people would have fallen for it, it's a decent looking message, it has a sense of urgency and the domain doesn't look wildly wrong. Devs in theory might be more security aware, but also we work with a lot of different apps, systems and sites - mixed domains, weird deep-links, redirects we've all used (and possibly even deployed) such setups.

Add in most of my email is now through a corporate outlook, so domains aren't very visible it's all nestled behind "safelinks", and personal email is often on a phone so mousing over a link just isn't muscle memory anymore.

I think I'd be suspicious at the request, but possibly have clicked to see more, especially with the threat things might stop working soon. Maybe NPM/package platforms should be pushing security training to their biggest maintainers like your old corporation did, but for now they don't and the idea that people should be more aware of the risk is sort of the point.

Almost anyone would have fallen for that, thats why almost all of us need to be reminded to think of this stuff more.

	▲	brushfoot 3 days ago \| parent [-]
		Thank you for implying I'm one in a million, but this just underscores why I avoid ecosystems like Node in favor of more top-down ones like .NET. When a lone developer is untrained and doesn't follow best practices, as happened here, the community rushes to their defense on the grounds of empathy: "We would ALL make this mistake." But what if we wouldn't? What if we're trained and have certain safety protocols and procedures that we hold ourselves to? This is why, at the end of the day, I run my company on a more centralized ecosystem, for all its warts. At least there's the promise of standard practices and procedures and training, whether it's always perfectly fulfilled or not. With a community-driven ecosystem, you don't have that: You're relying on the standards of the community, a vague and nebulous group that doesn't necessarily have any security sense, as you rightly pointed out. I realize not everyone has the luxury of making that choice due to career/financial constraints.

▲

ajross 3 days ago | parent | prev [-]

> Yes, the article's insistence that anyone would have fallen for the phish, and that anyone who disagrees is simply "wrong," is unfortunate

I think that's overstated. This phishing attempt had some obvious red flags that many people here would have noticed, sure. So not everyone is going to fall for this phish.

But the principle is better expressed as "Everyone will fall for a phish", somewhere. Even you. Human engineering is human engineering and we're all fallible. All that's required is that someone figure out which mistakes you're likely to make.