| ▲ | dcrazy 3 hours ago |
| It’s far from a complete solution, but to mitigate this specific avenue of supply chain compromise, couldn’t Github/npm issue single-purpose physical hardware tokens and allow projects (or even mandate, for the most popular ones) maintainers use these hardware tokens as a form of 2FA? |
|
| ▲ | yjftsjthsd-h 3 hours ago | parent [-] |
| What would a physical token give you that totp doesn't? Edit: wait, did the attacker intercept the totp code as it was entered? Trying to make sense of the thread |
| |
| ▲ | dcrazy 2 hours ago | parent [-] | | The attacker installed a RAT on the contributor’s machine, so if they had configured TOTP or saved the recovery codes anywhere on that machine, the attacker could defeat 2FA. | | |
| ▲ | yjftsjthsd-h 17 minutes ago | parent [-] | | Oh, yes, I missed that the TOTP machine was compromised:\ Would that then imply that it would have been okay if codes came from a separate device, eg. a TOTP app on a Palm OS device with zero network connectivity? (Or maybe these days the easiest airgapped option is an old android phone that stays in airplane mode...) |
|
|
