←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source
Show context
junon ◴[08 Sep 25 15:49 UTC] No.45169794[source]
Hi, yep I got pwned. Sorry everyone, very embarrassing.

More info:

- https://github.com/chalk/chalk/issues/656

- https://github.com/debug-js/debug/issues/1005#issuecomment-3...

Affected packages (at least the ones I know of):

- ansi-styles@6.2.2

- debug@4.4.2 (appears to have been yanked as of 8 Sep 18:09 CEST)

- chalk@5.6.1

- supports-color@10.2.1

- strip-ansi@7.1.1

- ansi-regex@6.2.1

- wrap-ansi@9.0.1

- color-convert@3.1.1

- color-name@2.0.1

- is-arrayish@0.3.3

- slice-ansi@7.1.1

- color@5.0.1

- color-string@2.1.1

- simple-swizzle@0.2.3

- supports-hyperlinks@4.1.1

- has-ansi@6.0.1

- chalk-template@1.1.1

- backslash@0.2.1

It looks and feels a bit like a targeted attack.

Will try to keep this comment updated as long as I can before the edit expires.

---

Chalk has been published over. The others remain compromised (8 Sep 17:50 CEST).

NPM has yet to get back to me. My NPM account is entirely unreachable; forgot password system does not work. I have no recourse right now but to wait.

Email came from support at npmjs dot help.

Looked legitimate at first glance. Not making excuses, just had a long week and a panicky morning and was just trying to knock something off my list of to-dos. Made the mistake of clicking the link instead of going directly to the site like I normally would (since I was mobile).

Just NPM is affected. Updates to be posted to the `/debug-js` link above.

Again, I'm so sorry.

replies(39): >>45169833 #>>45169877 #>>45169899 #>>45169922 #>>45170115 #>>45170202 #>>45170608 #>>45170631 #>>45170738 #>>45170943 #>>45171084 #>>45171127 #>>45171420 #>>45171444 #>>45171619 #>>45171648 #>>45171666 #>>45171859 #>>45172334 #>>45172346 #>>45172355 #>>45172660 #>>45172846 #>>45174599 #>>45174607 #>>45175160 #>>45175246 #>>45176250 #>>45176355 #>>45176505 #>>45177184 #>>45177316 #>>45178543 #>>45178719 #>>45182153 #>>45183937 #>>45194407 #>>45194912 #>>45229781 #
winwang ◴[08 Sep 25 16:21 UTC] No.45170202[source]
Just want to agree with everyone who is thanking you for owning up (and so quickly). Got phished once while drunk in college (a long time ago), could have been anyone. NPM being slowish to get back to you is a bit surprising, though. Seems like that would only make attacks more lucrative.
replies(3): >>45172493 #>>45173347 #>>45175107 #
sneak ◴[08 Sep 25 22:46 UTC] No.45175107[source]
Can happen to anyone… who doesn’t use password manager autofill and unphishable 2FA like passkeys.

Most people who get phished aren’t using password managers, or they would notice that the autofill doesn’t work because the domain is wrong.

Additionally, TOTP 2FA (numeric codes) are phishable; stop using them when U2F/WebAuthn/passkeys are available.

I have never been phished because I follow best practices. Most people don’t.

replies(5): >>45175125 #>>45176489 #>>45181184 #>>45207329 #>>45207370 #
junon ◴[08 Sep 25 22:48 UTC] No.45175125[source]
I use a password manager. I was mobile, the autofill stuff isn't installed as I don't use it often on my phone.

In 15 years of maintaining OSS, I've never been pwned, phished, or anything of the sort.

Thank you for your input :)

replies(5): >>45175912 #>>45176071 #>>45176258 #>>45177707 #>>45179111 #
sneak ◴[09 Sep 25 08:23 UTC] No.45179111{3}[source]
I never copy and paste passwords. Any time you find yourself wanting to do that, alarm bells should be ringing.

Password managers can’t help you if you don’t use them properly.

Spotify steals (and presumably uploads) your clipboard, as well as other apps. Autofill is your primary defense against phishing, as you (and hopefully some others) learned this week.

replies(2): >>45179643 #>>45186674 #
jasode ◴[09 Sep 25 09:27 UTC] No.45179643{4}[source]
>Autofill is your primary defense against phishing,

The autofill feature is not 100% reliable for various reasons:

(1) some companies use different domains that are legitimate but don't exactly match the url in the password manager. Troy Hunt, the security expert who runs https://haveibeenpwned.com/ got tricked because he knew autofill is often blank because of legit different domains[1]. His sophisticated knowledge and heuristics of how autofill is implemented -- actually worked against him.

(2) autofill doesn't work because of technical bugs in the plugin, HTML elements detection, interaction/incompatibility with new browser versions, etc. It's a common complaint with all password plugins:

https://www.google.com/search?q=1password+autofill+doesn%27t...

https://www.1password.community/discussions/1password/1passw...

https://github.com/bitwarden/clients/issues?q=is%3Aissue%20a...

... so in the meantime while the autofill is broken, people have to manually copy-paste the password!

The real-world experience of flaky and glitchy autofill distorts the mental decision tree.

Instead of, "hey, the password manager didn't autofill my username/password?!? What's going on--OH SHIT--I'm being phished!" ... it becomes "it didn't autofill in the password (again) so I assume the Rube-Goldberg contraption of pw manager browser plugin + browser version is broken again."

Consider the irony of how password managers not being perfectly reliable causes sophisticated technical minds to become susceptible to social engineering.

In other words, password managers inadvertently create a "Normalization of Deviance" : https://en.wikipedia.org/wiki/Normalization_of_deviance

[1] >Thirdly, the thing that should have saved my bacon was the credentials not auto-filling from 1Password, so why didn't I stop there? Because that's not unusual. There are so many services where you've registered on one domain (and that address is stored in 1Password), then you legitimately log on to a different domain. -- from: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mail...

replies(1): >>45183018 #
1. mdaniel ◴[09 Sep 25 15:10 UTC] No.45183018{5}[source]
I want to live in a world where the 1Password CEO makes a formal apology for this failure, and applies the necessary internal pressure to treat any "autofill does not work" as a P0

The number of cases in this thread, about a malware attack basically because of 1Password, where people mention their bad experience with 1Password is really stretching the "no such thing as bad publicity" theory