NPM debug and chalk packages compromised

(www.aikido.dev)

1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

andrewmcwatters ◴[08 Sep 25 15:59 UTC] No.45169908[source]▶

@junon, if it makes you feel any better, I once had a Chinese hacking group target my router and hijack my DNS configuration specifically to make "amazon.com" point to 1:1 replica of the site just to steal my Amazon credentials.

There was no way to quickly visualize that the site was fake, because it was in fact, "actually" amazon.com.

Phishing sucks. Sorry to read about this.

Edit: To other readers, yes, the exploit failed to use an additional TLS attack, which was how I noticed something was wrong. Otherwise, the site was identical. This was many years ago before browsers were as vocal as they are now about unsecured connections.

replies(5): >>45169946 #>>45169949 #>>45169952 #>>45169953 #>>45169958 #

bix6 ◴[08 Sep 25 16:02 UTC] No.45169952[source]▶

>>45169908 #

Any write up? I would like to learn more to avoid.

replies(1): >>45179298 #

1. dns_snek ◴[09 Sep 25 08:45 UTC] No.45179298[source]▶

>>45169952 #

The exact attack they described is less of an issue these days due to HSTS and preloading, but:

- make sure you're connected to the expected official domain (though many companies are desensitizing us to this threat by using distinct domains instead of subdomains for official business)

- make sure you're connected over HTTPS (this was most likely their issue)

- use a password manager which remembers official domains for you and won't offer to auto-fill on phishing sites

- use a 2FA method that's immune to phishing, like passkeys or security keys (if you do this, you get a lot of leniency to mistakes everywhere else)

↑