Seems to have been targeted by the same phishing campaign.
diggan · 1h ago
So far, it seems to be a bog-standard phishing email, with not much novelty or sophistication, seems the people running the operation got very lucky with their victims though.
I'm starting to think we haven't even seen the full scope of it yet, two authors confirmed as compromised, must be 10+ out there we haven't heard of yet?
IshKebab · 17m ago
Probably the differentiating factor here is that the phishing message was very plausible. Normally they're full of spelling mistakes and unprofessional grammar. The domain was also plausible.
I think where they got lucky is
> In hindsight, the fact that his browser did not auto-complete the login should have been a red flag.
A huge red flag. I wonder if browsers should actually detect if you're putting login details for site A manually into site B, and give you a "are you sure this isn't phishing" warning or something?
I don't quite understand how the chalk author fell for it though. They said
> This was mobile, I don't use browser extensions for the password manager there.
So are there mobile password managers that don't even check the URL? I dunno how that works...
hiccuphippo · 4m ago
My guess is their password manager is a separate app and they use the clipboard (or maybe it's a keyboard app) to paste the password. No way for the password manager to check the url in that case.
skeeter2020 · 29m ago
>> So far, it seems to be a bog-standard phishing email
The fact this is NOT the standard phishing email shows how low the bar is:
1. the text of the email reads like one you'd get from npm in the tone, format and lack of obvious spelling & grammatical errors. It pushes you to move quicker than you might normally, without triggering the typical suspicions.
2. the landing domain and website copy seem really close to legit, no obfuscated massive subdomain, no uncanny login screen, etc.
All the talk of AI disrupting tech; this is an angle where generative AI can have a massive impact in democratizing the global phishing industry. I do agree with you that there's likely many more authors who have been tricked and we haven't seen the full fallout.
diggan · 18m ago
Both of those points are fairly common in phishing emails, at least the ones I receive. Cloning the HTML/CSS for phishing has been done for as long as I've been able to receive emails, don't even need LLMs for that :)
r_lee · 22m ago
How does AI relate to this in any way? you can easily clone websites by just copying via devtools, like seriously
same with just copying email HTML
it's actually easier to make it looke exactly the same vs different in some ways
eviks · 20m ago
> This website contained a *pixel-perfect copy* of the npmjs.com website.
Not sure how this emphasis is of any importance, you brain doesn't have a pixel perfect image of the website, so you wouldn't know whether it's a perfect replica or not.
Let the silicon dummies in the password manager so the matching, don't strain your brain with such games outside of entertainment
koakuma-chan · 59m ago
Should enforce passkeys not 2FA
cr125rider · 33m ago
How is that different?
semiquaver · 28m ago
Passkeys are unphishable because there is nothing to type in. And they are locked to an origin by design, so you can’t accidentally use one on the wrong domain because the browser simply won’t do it.
koakuma-chan · 29m ago
Passkey only works when you're on the correct website
diggan · 27m ago
Use a password manager (that isn't too buggy and/or suck) and you get the same thing for both TOTP and passwords.
koakuma-chan · 24m ago
Npm can't force people to use password manager
diggan · 17m ago
Nor does TOTP+password lock you to one authentication provider indefinitely. Tradeoffs :)
maltee · 4m ago
You can always register a new passkey with the site if you want to switch authentication providers, can’t you?
ljlolel · 16m ago
You can if you just force passwords longer than people can memorize or even want to write down (assigned 24+ characters)
koakuma-chan · 8m ago
It's just gonna be on a sticky note hanging on the screen or under keyboard
243423443 · 28m ago
Care to explain?
vladvasiliu · 25m ago
The actual URL in the browser is part of what the passkey signs. So if you go to totallynotascam.com which turns out to be some dude intercepting and passing the connection to npm, the signature would be refused by npm since it wouldn't be for the correct domain.
operator-name · 28m ago
The browser ensures that a passkey can only be used on the correct site.
nodesocket · 24m ago
I think just supporting yubikeys is sufficient.
koakuma-chan · 23m ago
I have two yubikeys lying around, how do I use them? I don't even have the correct hole in my laptop or in my phone to insert them
BenjiWiebe · 17m ago
You can use an adapter (usb-a to usb-c). Or are they NFC capable? Some models are.
nodesocket · 20m ago
This is a joke right? Can’t say I’ve ever heard of USB ports referred to as “holes”.
koakuma-chan · 16m ago
> Can’t say I’ve ever heard of USB ports referred to as “holes”.
I cannot be bother to remember every hole name. They're all USB anyway, the difference is that some are A, C, or Lightning, I bought a new MacBook and it has that magnet hole, what is that called? I'm not following.
koakuma-chan · 19m ago
No I'm serious. I used to work on a PC and I had the correct hole, but I never figured out how to make yubikey useful and of course I couldn't use it with my phone. Maybe I'm missing something?
KevinMS · 20m ago
yubikeys locks up my firefox on both windows and mac, no thanks
nodesocket · 14m ago
Mine works flawlessly in Chrome on MacOS. Maybe you got defective one, or try factory resetting it.
ebfe1 · 41m ago
Is it just me who think this could have been prevented if npm admins put in some sort of cool off period to only allow new versions or packages to be downloaded after being published by "x" amount of hours? This way the npm maintainer would get notifications on their email and react immediately? And if it is urgent fix, perhaps there can be a process to allow npm admin to approve and bypass publication cool off period.
Disclaimer: I don't know enough of npm/nodejs community so I might be completely off the mark here
lovehashbrowns · 59m ago
I guess it's hands off the npm jar for a week or three 'cause I am expecting a bunch more packages to be affected at this point.
arewethereyeta · 1h ago
> An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions
How can anyone publish their packages?
OtherShrezzing · 1h ago
The attacker emailed a maintainer from a legitimate looking email address. The maintainer clicked the link and reset their credentials on a legitimate looking website. The attacker then signs into the legitimate duckdb account and publishes their new package.
This is the second high-profile instance of the technique this week.
arewethereyeta · 1h ago
2FA for such high profile packages should be enforced
jsheard · 1h ago
It is, if your packages are popular enough then npm will force you to enable 2FA. They started doing that a few years ago. It clearly doesn't stop everything though, the big attack yesterday went through 2FA by tricking the author into doing a "2FA reset".
diggan · 1m ago
> It is, if your packages are popular enough then npm will force you to enable 2FA.
Are they actively forcing it? I've received the "Remember to enable 2FA" email notifications from NPM since 2022 I think, but haven't bothered since I'm not longer publishing packages/updates.
Besides, the email conveniently mentions their "automation" tokens as well, which when used for publishing updates, bypasses 2FA fully.
frizlab · 52m ago
Passkeys should be enforced
skeeter2020 · 27m ago
for popular packages - and in this case - they are. This attack (and yesterday's) are relay attacks, with the attacker in the middle between npm and the target.
koakuma-chan · 1h ago
He would have entered 2FA too
pneff · 1h ago
There is a detailed postmortem in the linked ticket explaining exactly how this happened.
masfuerte · 1h ago
This is the same phishing attack that hit junon yesterday.
I hate the janky password manager browser extensions but at least they make it hard to make this mistake.
bakugo · 1h ago
> According to the npm statistics, nobody has downloaded these packages before they were deprecated
Is this actually accurate? Packages with weekly downloads in the hundreds of thousands, yet in the 4+ hours that the malicious versions were up for, not a single person updated any of them to the latest patch release?
hfmuehleisen · 42m ago
DuckDB maintainer here, thanks for flagging this. Indeed the npm stats are delayed. We will know in a day or so what the actual count was. In the meantime, I've removed that statement.
belgattitude · 32m ago
I think you should unpublish rather than deprecate... `npm unpublish package@version` ... It's possible within 72h. One reason is that the patched version contains -alpha... so tools like npm-check-updates would keep the 1.3.3 as the latest release for those who installed it
hfmuehleisen · 29m ago
Yes we tried, but npm would not let us because of "dependencies". We've reached out to them and are waiting for a response. In the meantime, we re-published the packages with newer versions so people won't accidentally install the compromised version.
diggan · 1h ago
I think that's pretty unlikely. I aren't even a high-profile npm author, and if I publish any npm package they end up being accessed/downloadaded within minutes of first publish, and any update after that.
I also know projects who are reading the update feeds and kick off CI jobs after any dependencies are updated to automatically test version upgrades, surely at least one dependent of DuckDB is doing something similar.
mediumsmart · 1h ago
Comes with the territory considering that npm is defacto the number one enshittification dependency by now. But no worries - this will scale beautifully.
downvotes appreciated but also happy to see one or two urls that would prove me wrong
eviks · 28m ago
In the spirit of a substantive discussion could you likewise share a couple that would prove you right?
https://www.aikido.dev/blog/npm-debug-and-chalk-packages-com...
I'm starting to think we haven't even seen the full scope of it yet, two authors confirmed as compromised, must be 10+ out there we haven't heard of yet?
I think where they got lucky is
> In hindsight, the fact that his browser did not auto-complete the login should have been a red flag.
A huge red flag. I wonder if browsers should actually detect if you're putting login details for site A manually into site B, and give you a "are you sure this isn't phishing" warning or something?
I don't quite understand how the chalk author fell for it though. They said
> This was mobile, I don't use browser extensions for the password manager there.
So are there mobile password managers that don't even check the URL? I dunno how that works...
The fact this is NOT the standard phishing email shows how low the bar is:
1. the text of the email reads like one you'd get from npm in the tone, format and lack of obvious spelling & grammatical errors. It pushes you to move quicker than you might normally, without triggering the typical suspicions.
2. the landing domain and website copy seem really close to legit, no obfuscated massive subdomain, no uncanny login screen, etc.
All the talk of AI disrupting tech; this is an angle where generative AI can have a massive impact in democratizing the global phishing industry. I do agree with you that there's likely many more authors who have been tricked and we haven't seen the full fallout.
same with just copying email HTML
it's actually easier to make it looke exactly the same vs different in some ways
Not sure how this emphasis is of any importance, you brain doesn't have a pixel perfect image of the website, so you wouldn't know whether it's a perfect replica or not.
Let the silicon dummies in the password manager so the matching, don't strain your brain with such games outside of entertainment
I cannot be bother to remember every hole name. They're all USB anyway, the difference is that some are A, C, or Lightning, I bought a new MacBook and it has that magnet hole, what is that called? I'm not following.
Disclaimer: I don't know enough of npm/nodejs community so I might be completely off the mark here
How can anyone publish their packages?
This is the second high-profile instance of the technique this week.
Are they actively forcing it? I've received the "Remember to enable 2FA" email notifications from NPM since 2022 I think, but haven't bothered since I'm not longer publishing packages/updates.
Besides, the email conveniently mentions their "automation" tokens as well, which when used for publishing updates, bypasses 2FA fully.
https://news.ycombinator.com/item?id=45169657
Is this actually accurate? Packages with weekly downloads in the hundreds of thousands, yet in the 4+ hours that the malicious versions were up for, not a single person updated any of them to the latest patch release?
I also know projects who are reading the update feeds and kick off CI jobs after any dependencies are updated to automatically test version upgrades, surely at least one dependent of DuckDB is doing something similar.
downvotes appreciated but also happy to see one or two urls that would prove me wrong