←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 10 comments | 08 Sep 25 15:37 UTC | HN request time: 1.016s | source | bottom
1. andrewmcwatters ◴[08 Sep 25 15:59 UTC] No.45169908[source]
@junon, if it makes you feel any better, I once had a Chinese hacking group target my router and hijack my DNS configuration specifically to make "amazon.com" point to 1:1 replica of the site just to steal my Amazon credentials.

There was no way to quickly visualize that the site was fake, because it was in fact, "actually" amazon.com.

Phishing sucks. Sorry to read about this.

Edit: To other readers, yes, the exploit failed to use an additional TLS attack, which was how I noticed something was wrong. Otherwise, the site was identical. This was many years ago before browsers were as vocal as they are now about unsecured connections.

replies(5): >>45169946 #>>45169949 #>>45169952 #>>45169953 #>>45169958 #
2. nixosbestos ◴[08 Sep 25 16:02 UTC] No.45169946[source]
That's not... how that works, unless you clicked through a very loud, obvious TLS warning.
replies(1): >>45170053 #
3. thehamkercat ◴[08 Sep 25 16:02 UTC] No.45169949[source]
What about SSL?
4. bix6 ◴[08 Sep 25 16:02 UTC] No.45169952[source]
Any write up? I would like to learn more to avoid.
replies(1): >>45179298 #
5. littlecranky67 ◴[08 Sep 25 16:02 UTC] No.45169953[source]
How did they get a valid ssl cert though?
replies(2): >>45170020 #>>45171864 #
6. dboreham ◴[08 Sep 25 16:03 UTC] No.45169958[source]
How did that get past TLS checks? They used Unicode characters that visually looked like amazon.com ?
7. klysm ◴[08 Sep 25 16:08 UTC] No.45170020[source]
Could've been a while ago when SSL certs failures weren't as loud in the browser
8. jowea ◴[08 Sep 25 16:11 UTC] No.45170053[source]
Yeah that sounds weird. Certificate pinning and HSTS should protect from that, right?
9. dns_snek ◴[08 Sep 25 18:19 UTC] No.45171864[source]
Before HSTS you didn't need a valid certificate. When you typed "amazon.com" in the address bar your browser would first connect to the server unencrypted on port 80 which would then redirect you to the HTTPS address.

If someone hijacked your DNS, they could direct your browser to connect to their web server instead which served a phishing site on port 80 and never redirected you, thus never ran into the certificate issue. That's part of the reason why browsers started warning users when they're connecting to a website without HTTPS.

10. dns_snek ◴[09 Sep 25 08:45 UTC] No.45179298[source]
The exact attack they described is less of an issue these days due to HSTS and preloading, but:

- make sure you're connected to the expected official domain (though many companies are desensitizing us to this threat by using distinct domains instead of subdomains for official business)

- make sure you're connected over HTTPS (this was most likely their issue)

- use a password manager which remembers official domains for you and won't offer to auto-fill on phishing sites

- use a 2FA method that's immune to phishing, like passkeys or security keys (if you do this, you get a lot of leniency to mistakes everywhere else)