←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 9 comments | 08 Sep 25 15:37 UTC | HN request time: 0.001s | source | bottom
Show context
junon ◴[08 Sep 25 15:49 UTC] No.45169794[source]
Hi, yep I got pwned. Sorry everyone, very embarrassing.

More info:

- https://github.com/chalk/chalk/issues/656

- https://github.com/debug-js/debug/issues/1005#issuecomment-3...

Affected packages (at least the ones I know of):

- ansi-styles@6.2.2

- debug@4.4.2 (appears to have been yanked as of 8 Sep 18:09 CEST)

- chalk@5.6.1

- supports-color@10.2.1

- strip-ansi@7.1.1

- ansi-regex@6.2.1

- wrap-ansi@9.0.1

- color-convert@3.1.1

- color-name@2.0.1

- is-arrayish@0.3.3

- slice-ansi@7.1.1

- color@5.0.1

- color-string@2.1.1

- simple-swizzle@0.2.3

- supports-hyperlinks@4.1.1

- has-ansi@6.0.1

- chalk-template@1.1.1

- backslash@0.2.1

It looks and feels a bit like a targeted attack.

Will try to keep this comment updated as long as I can before the edit expires.

---

Chalk has been published over. The others remain compromised (8 Sep 17:50 CEST).

NPM has yet to get back to me. My NPM account is entirely unreachable; forgot password system does not work. I have no recourse right now but to wait.

Email came from support at npmjs dot help.

Looked legitimate at first glance. Not making excuses, just had a long week and a panicky morning and was just trying to knock something off my list of to-dos. Made the mistake of clicking the link instead of going directly to the site like I normally would (since I was mobile).

Just NPM is affected. Updates to be posted to the `/debug-js` link above.

Again, I'm so sorry.

replies(39): >>45169833 #>>45169877 #>>45169899 #>>45169922 #>>45170115 #>>45170202 #>>45170608 #>>45170631 #>>45170738 #>>45170943 #>>45171084 #>>45171127 #>>45171420 #>>45171444 #>>45171619 #>>45171648 #>>45171666 #>>45171859 #>>45172334 #>>45172346 #>>45172355 #>>45172660 #>>45172846 #>>45174599 #>>45174607 #>>45175160 #>>45175246 #>>45176250 #>>45176355 #>>45176505 #>>45177184 #>>45177316 #>>45178543 #>>45178719 #>>45182153 #>>45183937 #>>45194407 #>>45194912 #>>45229781 #
nodesocket ◴[08 Sep 25 15:58 UTC] No.45169899[source]
What did the phishing email say that made you click and login?
replies(1): >>45170070 #
junon ◴[08 Sep 25 16:12 UTC] No.45170070[source]
That it had been more than 12 months since last updating them. Npm has done outreach before about doing security changes/enhancements in the past so this didn't really catch me.

Screenshot here: https://imgur.com/a/q8s235k

replies(7): >>45170187 #>>45170240 #>>45170308 #>>45170321 #>>45170333 #>>45170335 #>>45171291 #
SSLy ◴[08 Sep 25 16:19 UTC] No.45170187[source]
Can you post full message headers somewhere? It'd be interesting which MTA was involved in delivery from the sender's side.
replies(1): >>45170454 #
junon ◴[08 Sep 25 16:38 UTC] No.45170454[source]
Yep - https://gist.github.com/Qix-/c1f0d4f0d359dffaeec48dbfa1d40ee...
replies(3): >>45170638 #>>45171252 #>>45173824 #
alexellisuk ◴[08 Sep 25 17:37 UTC] No.45171252{3}[source]
How did simply opening this email in something like Gmail or a desktop client result in it being able to compromise NPM packages under your control?

I'm just curious - and as a word of warning to others so we can learn. I may be missing some details, I've read most of the comments on the page.

replies(1): >>45171314 #
1. junon ◴[08 Sep 25 17:41 UTC] No.45171314{4}[source]
I clicked the link like a genius :)
replies(2): >>45171400 #>>45171927 #
2. alexellisuk ◴[08 Sep 25 17:47 UTC] No.45171400[source]
:-( How did the link hijack your password/2fa? Or did you also enter some stuff on the form?
3. osa1 ◴[08 Sep 25 18:25 UTC] No.45171927[source]
I don't understand. The link could've come from anywhere (for example from a HN comment). How does just clicking on it give your package credentials to someone else? Is NPM also at fault here? I'd naively think that this shouldn't be possible.

For example, GitHub asks for 2FA when I change certain repo settings (or when deleting a repo etc.) even when I'm logged in. Maybe NPM needs to do the same?

replies(3): >>45171987 #>>45172119 #>>45172628 #
4. koil ◴[08 Sep 25 18:30 UTC] No.45171987[source]
As OC mentioned elsewhere, it was a targeted TOTP proxy attack.
replies(1): >>45172637 #
5. dboreham ◴[08 Sep 25 18:42 UTC] No.45172119[source]
OP entered their credentials and TOTP code, which the attacker proxied to the real npmjs.com

FWIW npmjs does support FIDO2 including hard tokens like Yubikey.

They do not force re-auth when issuing an access token with publish rights, which is probably how the attackers compromised the packages. iirc GitHub does force re-auth when you request an access token.

replies(1): >>45173739 #
6. ◴[08 Sep 25 19:18 UTC] No.45172628[source]
7. hughw ◴[08 Sep 25 19:18 UTC] No.45172637{3}[source]
So, he clicked the link and then entered his correct TOTP? how would manually typing the url instead of clicking the link have mitigated this?
replies(1): >>45172796 #
8. Mogzol ◴[08 Sep 25 19:30 UTC] No.45172796{4}[source]
They wouldn't have manually typed the exact URL from the email, they would have just typed in npmjs.com which would ensure they ended up on the real NPM site. Or even if they did type out the exact URL from the email, it would have made them much more likely to notice that it was not the real NPM URL.
9. osa1 ◴[08 Sep 25 20:44 UTC] No.45173739{3}[source]
> They do not force re-auth when issuing an access token with publish rights, which is probably how the attackers compromised the packages

I'm surprised by this. Yeah, GitHub definitely forces you to re-auth when accessing certain settings.