←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source
Show context
junon ◴[08 Sep 25 15:49 UTC] No.45169794[source]
Hi, yep I got pwned. Sorry everyone, very embarrassing.

More info:

- https://github.com/chalk/chalk/issues/656

- https://github.com/debug-js/debug/issues/1005#issuecomment-3...

Affected packages (at least the ones I know of):

- ansi-styles@6.2.2

- debug@4.4.2 (appears to have been yanked as of 8 Sep 18:09 CEST)

- chalk@5.6.1

- supports-color@10.2.1

- strip-ansi@7.1.1

- ansi-regex@6.2.1

- wrap-ansi@9.0.1

- color-convert@3.1.1

- color-name@2.0.1

- is-arrayish@0.3.3

- slice-ansi@7.1.1

- color@5.0.1

- color-string@2.1.1

- simple-swizzle@0.2.3

- supports-hyperlinks@4.1.1

- has-ansi@6.0.1

- chalk-template@1.1.1

- backslash@0.2.1

It looks and feels a bit like a targeted attack.

Will try to keep this comment updated as long as I can before the edit expires.

---

Chalk has been published over. The others remain compromised (8 Sep 17:50 CEST).

NPM has yet to get back to me. My NPM account is entirely unreachable; forgot password system does not work. I have no recourse right now but to wait.

Email came from support at npmjs dot help.

Looked legitimate at first glance. Not making excuses, just had a long week and a panicky morning and was just trying to knock something off my list of to-dos. Made the mistake of clicking the link instead of going directly to the site like I normally would (since I was mobile).

Just NPM is affected. Updates to be posted to the `/debug-js` link above.

Again, I'm so sorry.

replies(39): >>45169833 #>>45169877 #>>45169899 #>>45169922 #>>45170115 #>>45170202 #>>45170608 #>>45170631 #>>45170738 #>>45170943 #>>45171084 #>>45171127 #>>45171420 #>>45171444 #>>45171619 #>>45171648 #>>45171666 #>>45171859 #>>45172334 #>>45172346 #>>45172355 #>>45172660 #>>45172846 #>>45174599 #>>45174607 #>>45175160 #>>45175246 #>>45176250 #>>45176355 #>>45176505 #>>45177184 #>>45177316 #>>45178543 #>>45178719 #>>45182153 #>>45183937 #>>45194407 #>>45194912 #>>45229781 #
nodesocket ◴[08 Sep 25 15:58 UTC] No.45169899[source]
What did the phishing email say that made you click and login?
replies(1): >>45170070 #
junon ◴[08 Sep 25 16:12 UTC] No.45170070[source]
That it had been more than 12 months since last updating them. Npm has done outreach before about doing security changes/enhancements in the past so this didn't really catch me.

Screenshot here: https://imgur.com/a/q8s235k

replies(7): >>45170187 #>>45170240 #>>45170308 #>>45170321 #>>45170333 #>>45170335 #>>45171291 #
SSLy ◴[08 Sep 25 16:19 UTC] No.45170187[source]
Can you post full message headers somewhere? It'd be interesting which MTA was involved in delivery from the sender's side.
replies(1): >>45170454 #
junon ◴[08 Sep 25 16:38 UTC] No.45170454[source]
Yep - https://gist.github.com/Qix-/c1f0d4f0d359dffaeec48dbfa1d40ee...
replies(3): >>45170638 #>>45171252 #>>45173824 #
alexellisuk ◴[08 Sep 25 17:37 UTC] No.45171252[source]
How did simply opening this email in something like Gmail or a desktop client result in it being able to compromise NPM packages under your control?

I'm just curious - and as a word of warning to others so we can learn. I may be missing some details, I've read most of the comments on the page.

replies(1): >>45171314 #
junon ◴[08 Sep 25 17:41 UTC] No.45171314[source]
I clicked the link like a genius :)
replies(2): >>45171400 #>>45171927 #
1. alexellisuk ◴[08 Sep 25 17:47 UTC] No.45171400{3}[source]
:-( How did the link hijack your password/2fa? Or did you also enter some stuff on the form?