NPM debug and chalk packages compromised

(www.aikido.dev)

1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

junon ◴[08 Sep 25 15:49 UTC] No.45169794[source]▶

>>45169657 (OP) #

Hi, yep I got pwned. Sorry everyone, very embarrassing.

More info:

- https://github.com/chalk/chalk/issues/656

- https://github.com/debug-js/debug/issues/1005#issuecomment-3...

Affected packages (at least the ones I know of):

- ansi-styles@6.2.2

- debug@4.4.2 (appears to have been yanked as of 8 Sep 18:09 CEST)

- chalk@5.6.1

- supports-color@10.2.1

- strip-ansi@7.1.1

- ansi-regex@6.2.1

- wrap-ansi@9.0.1

- color-convert@3.1.1

- color-name@2.0.1

- is-arrayish@0.3.3

- slice-ansi@7.1.1

- color@5.0.1

- color-string@2.1.1

- simple-swizzle@0.2.3

- supports-hyperlinks@4.1.1

- has-ansi@6.0.1

- chalk-template@1.1.1

- backslash@0.2.1

It looks and feels a bit like a targeted attack.

Will try to keep this comment updated as long as I can before the edit expires.

---

Chalk has been published over. The others remain compromised (8 Sep 17:50 CEST).

NPM has yet to get back to me. My NPM account is entirely unreachable; forgot password system does not work. I have no recourse right now but to wait.

Email came from support at npmjs dot help.

Looked legitimate at first glance. Not making excuses, just had a long week and a panicky morning and was just trying to knock something off my list of to-dos. Made the mistake of clicking the link instead of going directly to the site like I normally would (since I was mobile).

Just NPM is affected. Updates to be posted to the `/debug-js` link above.

Again, I'm so sorry.

replies(39): >>45169833 #>>45169877 #>>45169899 #>>45169922 #>>45170115 #>>45170202 #>>45170608 #>>45170631 #>>45170738 #>>45170943 #>>45171084 #>>45171127 #>>45171420 #>>45171444 #>>45171619 #>>45171648 #>>45171666 #>>45171859 #>>45172334 #>>45172346 #>>45172355 #>>45172660 #>>45172846 #>>45174599 #>>45174607 #>>45175160 #>>45175246 #>>45176250 #>>45176355 #>>45176505 #>>45177184 #>>45177316 #>>45178543 #>>45178719 #>>45182153 #>>45183937 #>>45194407 #>>45194912 #>>45229781 #

dboreham ◴[08 Sep 25 15:56 UTC] No.45169877[source]▶

>>45169794 #

Sorry to be dumb, but can you expand a bit on "2FA reset email..." so the rest of us know what not to do?

replies(2): >>45169963 #>>45170666 #

junon ◴[08 Sep 25 16:03 UTC] No.45169963[source]▶

>>45169877 #

Ignore anything coming from npm you didn't expect. Don't click links, go to the website directly and address it there. That's what I should have done, and didn't because I was in a rush.

Don't do security things when you're not fully awake, too. Lesson learned.

The email was a "2FA update" email telling me it's been 12 months since I updated 2FA. That should have been a red flag but I've seen similarly dumb things coming from well-intentioned sites before. Since npm has historically been in contact about new security enhancements, this didn't smell particularly unbelievable to my nose.

The email went to the npm-specific inbox, which is another way I can verify them. That address can be queried publicly but I don't generally count on spammers to find that one but instead look at git addresses etc

The domain name was `npmjs dot help` which obviously should have caught my eye, and would have if I was a bit more awake.

The actual in-email link matched what I'd expect on npm's actual site, too.

I'm still trying to work out exactly how they got access. They didn't technically get a real 2FA code from the actual, I don't believe. EDIT: Yeah they did, nevermind. Was a TOTP proxy attack, or whatever you'd call it.

Will post a post-mortem when everything is said and done.

replies(5): >>45170150 #>>45170205 #>>45170263 #>>45170777 #>>45183746 #

sugarpimpdorsey ◴[08 Sep 25 16:21 UTC] No.45170205[source]▶

>>45169963 #

> The domain name was `npmjs dot help` which obviously should have caught my eye, and would have if I was a bit more awake.

It's a good thing the WebPKI cartel mostly did away with EV certs.... these days any old cert where only the SAN matches the domain and your browser gives a warm fuzzy "you're secure!"

replies(2): >>45170645 #>>45170963 #

1. Kwpolska ◴[08 Sep 25 17:16 UTC] No.45170963{3}[source]▶

>>45170205 #

People never paid attention to the special EV cert markers. And even if they did, what would stop someone from registering a company named "npm, Inc." and buying an EV cert for it? Sure, it’s going to cost some money upfront, but you can make much more by stealing cleptocurrency.

↑