←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source
Show context
nodesocket ◴[08 Sep 25 15:56 UTC] No.45169885[source]
This is terrifying. Reminder to store your crypto in a hardware based wallet like Ledger not browser based. Stay frosty when making transfers from exchanges.
replies(3): >>45169921 #>>45169962 #>>45171452 #
nixosbestos ◴[08 Sep 25 16:03 UTC] No.45169962[source]
How is it terrifying? They clicked through a 2FA reset email, a process that I have never, and will never need to go through, and seemingly one that they didn't even initiate.
replies(2): >>45170037 #>>45170154 #
nodesocket ◴[08 Sep 25 16:10 UTC] No.45170037[source]
Like you’ve never made a mistake before. Blatantly blaming the maintainer is unfair. They made a mistake, it happens.
replies(1): >>45170350 #
nixosbestos ◴[08 Sep 25 16:32 UTC] No.45170350[source]
No, I have never, ever responded to an explicit ask to reset the most important security feature of my accounts, without me initiating it, and I use a password manager (lol) so, no, I will never, ever encounter this problem. Because I care about my data, safety, and integrity, and my users'. There's literally no reason ever why I would or will do a 2FA reset.

It does happen, yes, it's not terrifying.

replies(2): >>45171346 #>>45171470 #
1. wewtyflakes ◴[08 Sep 25 17:51 UTC] No.45171470{3}[source]
Nobody cares if you, specifically, are this diligent. The terror is because unless _absolutely everyone_ who maintains NPM packages is this diligent, then we are all vulnerable. That sounds terrifying to me!