Most active commenters

    ←back to thread

    NPM debug and chalk packages compromised

    (www.aikido.dev)
    1369 points universesquid | 11 comments | 08 Sep 25 15:37 UTC | HN request time: 0.888s | source | bottom
    1. paxys ◴[08 Sep 25 21:22 UTC] No.45174186[source]
    Yeah I know "everyone can be pwned" etc. but at this point if you are not using a password manager and still entering passwords on random websites whose domains don't match the official one then you have no business doing anything of value on the internet.
    replies(6): >>45174727 #>>45175611 #>>45176385 #>>45177993 #>>45179019 #>>45179128 #
    2. djkoolaide ◴[08 Sep 25 22:13 UTC] No.45174727[source]
    Yeah, a password manager/autofill would have set off some alarms and likely prevented this, because the browser autofill would have detected a mismatch for the domain npmjs.help.
    3. const_cast ◴[08 Sep 25 23:45 UTC] No.45175611[source]
    This is true, but I've also run into legitimate password fields on different domains. Multiple times. The absolute worst offender is mobile app vs browser.

    Why does the mobile app use a completely different domain? Who designed this thing?

    4. Drblessing ◴[09 Sep 25 01:35 UTC] No.45176385[source]
    How does someone intelligent with 2FA get pwned? Serious question.
    replies(2): >>45176768 #>>45178922 #
    5. odie5533 ◴[09 Sep 25 02:39 UTC] No.45176768[source]
    Numbers game. Plenty of people got the email and deleted it. Only takes one person distracted and thinking "oh yeah my 2FA is pretty old" for them to get pwned.
    replies(2): >>45177288 #>>45177293 #
    6. pier25 ◴[09 Sep 25 04:09 UTC] No.45177288{3}[source]
    It's more than that. You need to log in, manually, into a new domain you've never used your password before.
    7. CGamesPlay ◴[09 Sep 25 04:10 UTC] No.45177293{3}[source]
    (I think everyone in this comment chain already knows this, but) PSA: your 2FA does not "get old" and does not need to be rotated (unless the device YOU stored it on was compromised). "Rotate your 2FA periodically" is NOT recommended security advice.
    8. 4ndrewl ◴[09 Sep 25 06:02 UTC] No.45177993[source]
    And I guess you can just withdraw your funding from him any time.
    9. Mawr ◴[09 Sep 25 08:00 UTC] No.45178922[source]
    Thinking you're above getting pwned is often step one :)

    It's not easy to be 100% vigilant 100% of the time against attacks deliberatly crafted to fall for them. All it takes is a single well crafted attack that strikes when you're tired and you're done.

    10. darkamaul ◴[09 Sep 25 08:13 UTC] No.45179019[source]
    I get the sentiment behind 'just use a password manager', but I don’t think victim-blaming should be the first reflex. Anyone can be targeted, and anyone can fail, even people who do 'everything right'.

    Password managers themselves have had vulnerabilities, browser autofill can fail, and phishing can bypass even well-trained users if the attack is convincing enough.

    Good hygiene (password managers, MFA, domain awareness) certainly reduces risk, but it doesn’t eliminate it. Framing security only as a matter of 'individual responsibility' ignores that attackers adapt, and that humans are not perfect computers. A healthier approach would be: encourage best practices, but also design systems that are resilient when users inevitably make mistakes.

    11. Tarq0n ◴[09 Sep 25 08:25 UTC] No.45179128[source]
    Have you used a Microsoft product lately? So many bigco's publishing their org chart as login domains.