Most active commenters
  • eviks(4)

←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 15 comments | 08 Sep 25 15:37 UTC | HN request time: 0.582s | source | bottom
Show context
junon ◴[08 Sep 25 15:49 UTC] No.45169794[source]
Hi, yep I got pwned. Sorry everyone, very embarrassing.

More info:

- https://github.com/chalk/chalk/issues/656

- https://github.com/debug-js/debug/issues/1005#issuecomment-3...

Affected packages (at least the ones I know of):

- ansi-styles@6.2.2

- debug@4.4.2 (appears to have been yanked as of 8 Sep 18:09 CEST)

- chalk@5.6.1

- supports-color@10.2.1

- strip-ansi@7.1.1

- ansi-regex@6.2.1

- wrap-ansi@9.0.1

- color-convert@3.1.1

- color-name@2.0.1

- is-arrayish@0.3.3

- slice-ansi@7.1.1

- color@5.0.1

- color-string@2.1.1

- simple-swizzle@0.2.3

- supports-hyperlinks@4.1.1

- has-ansi@6.0.1

- chalk-template@1.1.1

- backslash@0.2.1

It looks and feels a bit like a targeted attack.

Will try to keep this comment updated as long as I can before the edit expires.

---

Chalk has been published over. The others remain compromised (8 Sep 17:50 CEST).

NPM has yet to get back to me. My NPM account is entirely unreachable; forgot password system does not work. I have no recourse right now but to wait.

Email came from support at npmjs dot help.

Looked legitimate at first glance. Not making excuses, just had a long week and a panicky morning and was just trying to knock something off my list of to-dos. Made the mistake of clicking the link instead of going directly to the site like I normally would (since I was mobile).

Just NPM is affected. Updates to be posted to the `/debug-js` link above.

Again, I'm so sorry.

replies(39): >>45169833 #>>45169877 #>>45169899 #>>45169922 #>>45170115 #>>45170202 #>>45170608 #>>45170631 #>>45170738 #>>45170943 #>>45171084 #>>45171127 #>>45171420 #>>45171444 #>>45171619 #>>45171648 #>>45171666 #>>45171859 #>>45172334 #>>45172346 #>>45172355 #>>45172660 #>>45172846 #>>45174599 #>>45174607 #>>45175160 #>>45175246 #>>45176250 #>>45176355 #>>45176505 #>>45177184 #>>45177316 #>>45178543 #>>45178719 #>>45182153 #>>45183937 #>>45194407 #>>45194912 #>>45229781 #
cataflam ◴[08 Sep 25 22:52 UTC] No.45175160[source]
Hey, you're doing an exemplary response, transparent and fast, in what must be a very stressful situation!

I figure you aren't about to get fooled by phishing anytime soon, but based on some of your remarks and remarks of others, a PSA:

TRUSTING YOUR OWN SENSES to "check" that a domain is right, or an email is right, or the wording has some urgency or whatever is BOUND TO FAIL often enough.

I don't understand how most of the anti-phishing advice focuses on that, it's useless to borderline counter-productive.

What really helps against phishing :

1. NEVER EVER login from an email link. EVER. There are enough legit and phishing emails asking you to do this that it's basically impossible to tell one from the other. The only way to win is to not try.

2. U2F/Webauthn key as second factor is phishing-proof. TOTP is not.

That is all there is. Any other method, any other "indicator" helps but is error-prone, which means someone somewhere will get phished eventually. Particularly if stressed, tired, or in a hurry. It just happened to be you this time.

Good luck and well done again on the response!

replies(2): >>45175512 #>>45186585 #
diggan ◴[08 Sep 25 23:33 UTC] No.45175512[source]
Or you know, get a password manager like the rest of us. If your password manager doesn't show the usual autofill, since the domain is different than it should, take a step back and validate everything before moving on.

Have the TOTP in the same/another password manager (after considering the tradeoffs) and that can also not be entered unless the domain is right :)

replies(3): >>45175932 #>>45176903 #>>45178323 #
1. cataflam ◴[09 Sep 25 00:28 UTC] No.45175932[source]
I mostly agree and I do use one.

You only need read the whole thread however to see reasons why this would sometimes not be enough: sometimes the password manager does not auto-fill, so the user can think it's one of those cases, or they're on mobile and they don't have the extension there, or...

As a matter of fact, he does use one, that didn't save him, see: https://news.ycombinator.com/item?id=45175125

replies(1): >>45176155 #
2. eviks ◴[09 Sep 25 01:01 UTC] No.45176155[source]
> sometimes the password manager does not auto-fill

So pick one that does? That's like its top 2 feature

> he does use one

He doesn't since he has no autofill installed, so loses the key security+ convenience benefit of automatch

replies(3): >>45176295 #>>45176440 #>>45177428 #
3. y1n0 ◴[09 Sep 25 01:23 UTC] No.45176295[source]
He didn't say it didn't have the autofill feature, he said sometimes it doesn't work. I've experienced this pretty routinely with two different managers.
replies(1): >>45176407 #
4. eviks ◴[09 Sep 25 01:38 UTC] No.45176407{3}[source]
Yes he did, read again

> I was mobile, the autofill stuff isn't installed

5. acdha ◴[09 Sep 25 01:43 UTC] No.45176440[source]
> So pick one that does? That's like its top 2 feature

Still doesn’t work 100% of the time, because half of the companies on earth demote their developer time to breaking 1995-level forms. That’s why every popular password manager has a way to fill passwords for other domains, why people learn to use that feature, and why phishers have learned to convince people to use that feature.

WebAuthn prevents phishing. Password managers reduce it. This is the difference between being bulletproof like Superman or a guy in a vest.

replies(3): >>45177325 #>>45177537 #>>45177757 #
6. sunaookami ◴[09 Sep 25 04:14 UTC] No.45177325{3}[source]
Then good password managers will still show you only the logins for that domain. If the login is on another domain then you would have saved it anyways when first logging in/registering and if the site moved then you can get suspicious and check carefully first.
replies(2): >>45177497 #>>45181313 #
7. voxic11 ◴[09 Sep 25 04:31 UTC] No.45177428[source]
Mobile autofill requires you to make other security compromises.
replies(1): >>45177462 #
8. eviks ◴[09 Sep 25 04:37 UTC] No.45177462{3}[source]
Which ones, and how do they compare to this one?
9. voxic11 ◴[09 Sep 25 04:43 UTC] No.45177497{4}[source]
What are good password managers for chrome and Firefox on Android?
replies(2): >>45178357 #>>45199448 #
10. eviks ◴[09 Sep 25 04:49 UTC] No.45177537{3}[source]
You don't need 100%, just a high enough frequency that you wouldn't get used to dismissing the fail on auto pilot. Perfect shouldn't be the enemy of the good?
11. vinterson ◴[09 Sep 25 05:30 UTC] No.45177757{3}[source]
Given recent vuln of password manager extensions on desktop leaking passwords to malicious sites, I have disabled autofill on desktop... And autofill didn't work for me on ycombinator on mobile... Autofill is too unreliable.
12. Ghoelian ◴[09 Sep 25 06:47 UTC] No.45178357{5}[source]
Personally a big fan of 1Password. On the topic of autofill, the only website it sometimes won't fill is Reddit, which you know, whatever, I never go there anymore anyway.

As a developer I also love their ssh and gpg integrations, very handy.

I do get it for free from work, but if I had to choose one myself I'd have to pay for I'd probably still pick 1Passwrod.

replies(1): >>45182889 #
13. acdha ◴[09 Sep 25 12:56 UTC] No.45181313{4}[source]
All password managers allow copy-paste (which is what happened here) and the popular ones all offer you the ability to search and fill passwords from other domains. It's important to understand why they do, because it's also why these attacks continue to work: the user _thinks_ they are working around some kind of IT screwup, and 9 times out of 10 (probably closer to 99 out of 100) that's correct. Every marketing-driven hostname migration, every SSO failure, every front-end developer who breaks autofill, every “security expert” who was an accountant last year saying password managers are a vulnerability helps train users to think that it's not suspicious when you have to search for a different variation of the hostname or copy-paste a password.

That's why WebAuthn doesn't allow that as a core protocol feature, preventing both this attack and shifting the cost of unnecessary origin changes back to the company hosting the site. Attacking this guy for making a mistake in a moment of distraction is like prosecuting a soldier who was looking the other way when someone snuck past: wise leaders know that human error happens and structure the system to be robust against a single mistake.

14. mdaniel ◴[09 Sep 25 15:03 UTC] No.45182889{6}[source]
> I do get it for free from work, but if I had to choose one myself I'd have to pay for I'd probably still pick 1Passwrod.

I wanted to highlight that "getting it for free from work" isn't a sweetheart deal offered just to OP, but a feature of 1Password for Teams, meaning all employees of a business that uses 1Password automatically have a Family license for use at home https://support.1password.com/link-family/

And, for clarity, it's merely a financial relationship: the business cannot manage your Family account, cannot see its contents, and if you have a separation event you can retain the Family account forever in a read only capacity or you can take over the payment (or, heh, I presume move to another employer that also uses 1Password) and nothing changes for your home passwords

15. sunaookami ◴[10 Sep 25 15:47 UTC] No.45199448{5}[source]
I use selfhosted Bitwarden (Vaultwarden).