←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source
Show context
nodesocket ◴[08 Sep 25 15:56 UTC] No.45169885[source]
This is terrifying. Reminder to store your crypto in a hardware based wallet like Ledger not browser based. Stay frosty when making transfers from exchanges.
replies(3): >>45169921 #>>45169962 #>>45171452 #
nixosbestos ◴[08 Sep 25 16:03 UTC] No.45169962[source]
How is it terrifying? They clicked through a 2FA reset email, a process that I have never, and will never need to go through, and seemingly one that they didn't even initiate.
replies(2): >>45170037 #>>45170154 #
goku12 ◴[08 Sep 25 16:17 UTC] No.45170154[source]
How many developers are there like him? If not him, they'll target someone else. And while you or I will never do such a thing under normal circumstances, that's a pretty simple mistake to make if you are stressed, sleep deprived or sick. We are supposed to have automatic safeguards against such simple mistakes. (We used to design stuff with the assumption that if a human mistake is possible, someone will eventually make it for sure.)
replies(2): >>45170692 #>>45173292 #
1. crooked-v ◴[08 Sep 25 16:56 UTC] No.45170692[source]
Also, companies have mass popularized the whole 'click a link in an email to login' thing, which really contributes to the mistake factor.