←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 4 comments | 08 Sep 25 15:37 UTC | HN request time: 0.638s | source
Show context
diggan ◴[08 Sep 25 15:55 UTC] No.45169863[source]
> Yes, I've been pwned. First time for everything, I suppose. It was a 2FA reset email that looked shockingly authentic. I should have paid better attention, but it slipped past me. Sincerely sorry, this is embarrassing.

My worst nightmare is to wake up, see an email like that and hastily try to recover it while still 90% asleep, compromising my account in the process.

However, I think I can still sleep safe considering I'm using a password manager that only shows up when I'm on the right domain. A 2FA phishing email sending me to some unknown domain wouldn't show my password manager on the site, and would hence give me a moment to consider what's happening. I'm wondering if the author here wasn't using any sort of password manager, or something slipped through anyways?

Regardless, fucking sucks to end up there, at least it ends up being a learned lesson for more than just one person, hopefully. I sure get more careful every time it happens in the ecosystem.

replies(1): >>45170179 #
hunter2_ ◴[08 Sep 25 16:19 UTC] No.45170179[source]
I agree, and this is arguably the best reason to use a password manager (with the next being lack of reuse which automatically occurs if you use generated passwords, and then the next being strength if you use generated passwords).

I generally recommend Google's to any Android users, since it suggests your saved password not only based on domain in Chrome browser, but also based on registered appID for native apps, to extend your point. I'm not sure if third party password managers do this, although perhaps it's possible for anti-monopoly reasons?

replies(3): >>45170430 #>>45170455 #>>45171047 #
tracker1 ◴[08 Sep 25 16:37 UTC] No.45170430[source]
I'm a pretty big fan of BitWarden/VaultWarden myself... though relatively recently something changed on my Android phone in that the password fills aren't working from inside my browser, I have to copy/paste from the app, which is not only irritating but potentially less safe.
replies(1): >>45172004 #
1. Dayshine ◴[08 Sep 25 18:31 UTC] No.45172004[source]
Consider adding the widget/action to your quick actions: then to don't need to copy paste at least
replies(1): >>45172650 #
2. hunter2_ ◴[08 Sep 25 19:19 UTC] No.45172650[source]
For those of us unfamiliar, can you describe the resulting UI pattern? Do you give focus to the password field and then tap a button at the top of the notification shade which automatically types (or gives a choice, if multiple are saved) whatever the password manager has for that site? I'm slightly surprised that something running in that context would know what site the browser has open.
replies(2): >>45174442 #>>45177449 #
3. tracker1 ◴[08 Sep 25 21:45 UTC] No.45174442[source]
It appears to work... I wasn't even really aware I could add such a thing until the GP comment. I also managed to get the integrated use working... apparently there's now a separate config option for "chrome integration" and "brave integration" etc.
4. sunaookami ◴[09 Sep 25 04:34 UTC] No.45177449[source]
It reads the browser URL through an accessibility service.