←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source
Show context
0xbadcafebee ◴[08 Sep 25 18:49 UTC] No.45172225[source]
Here we are again. 12 days ago (https://news.ycombinator.com/item?id=45039764) I commented how a similar compromise of Nx was totally preventable.

Again, this is not the failure of a single person. This is a failure of the software industry. Supply chain attacks have gigantic impacts. Yet these are all solved problems. Somebody has to just implement the standard security measures that prevents these compromises. We're software developers... we're the ones to implement them.

Every software packaging platform on the planet should already require code signing, artifact signing, user account attacker access detection heuristics, 2FA, etc. If they don't, it's not because they can't, it's because nobody has forced them to.

These attacks will not stop. With AI (and continuous proof that they work) they will now get worse. Mandate software building codes now.

replies(6): >>45173632 #>>45174856 #>>45175596 #>>45176278 #>>45176808 #>>45190724 #
const_cast ◴[08 Sep 25 23:44 UTC] No.45175596[source]
A lot of these security measures have trade offs, particularly when we start looking at heuristics or attestation-like controls.

These can exclude a lot of common systems and software, including automations. If your heuristic is quite naive like "is using Linux" or "is using Firefox" or "has an IP not in the US" you run into huge issues. These sound stupid, because they are, but they're actually pretty common across a lot of software.

Similar thing with 2FA. Sms isn't very secure, email primes you to phishing, TOTP is good... but it needs to be open standard otherwise we're just doing the "exclude users" thing again. TOTP is still phishable, though. Only hardware attestation isn't, but that's a huge red flag and I don't think NPM could do that.

replies(1): >>45175834 #
rtpg ◴[09 Sep 25 00:15 UTC] No.45175834[source]
I have a hard time arguing that 2FA isn't a massive win in almost every circumstance. Having a "confirm that you have uploaded a new package" thing as the default seems good! Someone like npm mandating that a human being presses a button with a recaptcha for any package downloaded by more than X times per week just feels almost mandatory at this point.

The attacks are still possible, but they're not going to be nearly as easy here.

replies(1): >>45177038 #
SchemaLoad ◴[09 Sep 25 03:25 UTC] No.45177038[source]
2FA is a huge benefit over plain passwords. But it wasn't enough here. The package dev had 2FA and it did not help since they got tricked in to logging in to a phishing page which proxied the 2FA code to the real login page.
replies(1): >>45178936 #
bbarnett ◴[09 Sep 25 08:02 UTC] No.45178936[source]
Yet the parent said for each upload prior to publish.

This attack would have 100% been thwarted, when a load of emails appeared saying "publish package you just uploaded?".

(if you read the dev's account of this, you'll see this would have worked)

replies(2): >>45180059 #>>45180839 #
1. hvb2 ◴[09 Sep 25 12:11 UTC] No.45180839[source]
Assuming you've compromised said developers account, wouldn't you be able to click that publish button too?