←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 10 comments | 08 Sep 25 15:37 UTC | HN request time: 0.469s | source | bottom
Show context
junon ◴[08 Sep 25 15:49 UTC] No.45169794[source]
Hi, yep I got pwned. Sorry everyone, very embarrassing.

More info:

- https://github.com/chalk/chalk/issues/656

- https://github.com/debug-js/debug/issues/1005#issuecomment-3...

Affected packages (at least the ones I know of):

- ansi-styles@6.2.2

- debug@4.4.2 (appears to have been yanked as of 8 Sep 18:09 CEST)

- chalk@5.6.1

- supports-color@10.2.1

- strip-ansi@7.1.1

- ansi-regex@6.2.1

- wrap-ansi@9.0.1

- color-convert@3.1.1

- color-name@2.0.1

- is-arrayish@0.3.3

- slice-ansi@7.1.1

- color@5.0.1

- color-string@2.1.1

- simple-swizzle@0.2.3

- supports-hyperlinks@4.1.1

- has-ansi@6.0.1

- chalk-template@1.1.1

- backslash@0.2.1

It looks and feels a bit like a targeted attack.

Will try to keep this comment updated as long as I can before the edit expires.

---

Chalk has been published over. The others remain compromised (8 Sep 17:50 CEST).

NPM has yet to get back to me. My NPM account is entirely unreachable; forgot password system does not work. I have no recourse right now but to wait.

Email came from support at npmjs dot help.

Looked legitimate at first glance. Not making excuses, just had a long week and a panicky morning and was just trying to knock something off my list of to-dos. Made the mistake of clicking the link instead of going directly to the site like I normally would (since I was mobile).

Just NPM is affected. Updates to be posted to the `/debug-js` link above.

Again, I'm so sorry.

replies(39): >>45169833 #>>45169877 #>>45169899 #>>45169922 #>>45170115 #>>45170202 #>>45170608 #>>45170631 #>>45170738 #>>45170943 #>>45171084 #>>45171127 #>>45171420 #>>45171444 #>>45171619 #>>45171648 #>>45171666 #>>45171859 #>>45172334 #>>45172346 #>>45172355 #>>45172660 #>>45172846 #>>45174599 #>>45174607 #>>45175160 #>>45175246 #>>45176250 #>>45176355 #>>45176505 #>>45177184 #>>45177316 #>>45178543 #>>45178719 #>>45182153 #>>45183937 #>>45194407 #>>45194912 #>>45229781 #
nodesocket ◴[08 Sep 25 15:58 UTC] No.45169899[source]
What did the phishing email say that made you click and login?
replies(1): >>45170070 #
junon ◴[08 Sep 25 16:12 UTC] No.45170070[source]
That it had been more than 12 months since last updating them. Npm has done outreach before about doing security changes/enhancements in the past so this didn't really catch me.

Screenshot here: https://imgur.com/a/q8s235k

replies(7): >>45170187 #>>45170240 #>>45170308 #>>45170321 #>>45170333 #>>45170335 #>>45171291 #
1. nodesocket ◴[08 Sep 25 16:24 UTC] No.45170240[source]
Yikes, looks legit. Curious what are the destination addresses? Would like to monitor them to see how much coin they are stealing.
replies(3): >>45170331 #>>45170449 #>>45170952 #
2. hunter2_ ◴[08 Sep 25 16:31 UTC] No.45170331[source]
In terms of presentation, yes. In terms of substance, short deadlines are often what separate phishing from legitimate requests.
replies(1): >>45172370 #
3. FergusArgyll ◴[08 Sep 25 16:38 UTC] No.45170449[source]
0x66a9893cC07D91D95644AEDD05D03f95e1dBA8Af

0x10ed43c718714eb63d5aa57b78b54704e256024e

0x13f4ea83d0bd40e75c8222255bc855a974568dd4

0x1111111254eeb25477b68fb85ed929f73a960582

0xd9e1ce17f2641f24ae83637ab66a2cca9c378b9f

Source: https://github.com/chalk/chalk/issues/656#issuecomment-32670...

replies(1): >>45172699 #
4. mcintyre1994 ◴[08 Sep 25 17:16 UTC] No.45170952[source]
There's a lot, looks like they start at line 103 in the gist here: https://gist.github.com/sindresorhus/2b7466b1ec36376b8742dc7...
5. mrguyorama ◴[08 Sep 25 19:00 UTC] No.45172370[source]
There is NO reliable indicators, because every single one of these "Legit requests don't ..." recommendations has been done by a local bank trying to get their customers to do something.

My local credit union sent me a "please change your password" email from a completely unassociated email address with a link to the change password portal. I emailed them saying "Hey it looks like someone is phishing" and they said, "nope, we really, intentionally, did this"

Companies intentionally withhold warning emails as late as possible to cause more people to incur late fees. So everyone is used to "shit, gotta do this now or get screwed"

You can't hope to have good security when everyone's money is controlled by organizations that actively train people to have bad OPSEC or risk missing rent.

replies(2): >>45172585 #>>45175013 #
6. hunter2_ ◴[08 Sep 25 19:14 UTC] No.45172585{3}[source]
I agree: any of the potential indicators of phishing (whether it's poor presentation, incorrect grammar, tight deadlines, unusual "from" addresses, unusual domains in links, etc.) can easily have false positives which unfortunately dull people's senses. That doesn't mean they can't continue to be promulgated as indicators of possible (not definite) phishing, though.

I used the word "often" rather than "always" for this reason.

7. dbdr ◴[08 Sep 25 19:22 UTC] No.45172699[source]
Next comment:

> Those are swap contract addresses, not attacker addresses. E.g. 0x66a9893cC07D91D95644AEDD05D03f95e1dBA8Af the Uniswap v4 universal router addr.

> Every indication so far is that the attacker stole $0 from all of this. Which is a best-case outcome.

replies(1): >>45172741 #
8. FergusArgyll ◴[08 Sep 25 19:25 UTC] No.45172741{3}[source]
Oh, that makes much more sense - thanks!
9. cataflam ◴[08 Sep 25 22:37 UTC] No.45175013{3}[source]
> There is NO reliable indicators

Completely agree. The only reliable way is to never use an email/SMS link to login, ever.

replies(1): >>45185442 #
10. hunter2_ ◴[09 Sep 25 17:35 UTC] No.45185442{4}[source]
Or go ahead and use them, but abort if your password manager doesn't auto fill. Such abort scenarios include not only a password field without auto fill, but also a total lack of password field (e.g., sites that offer OTP-only authentication), since either way you don't have your password manager vetting the domain.