We All Dodged a Bullet

Posted4 months agoActive4 months ago

WhyNotHugo

830 points

484 comments

xeiaso.netTechstoryHigh profile

heatedmixed

Debate

80/100

NpmSupply Chain AttackPhishingSecurity

Key topics

Npm

Supply Chain Attack

Phishing

Security

Related: NPM debug and chalk packages compromised - https://news.ycombinator.com/item?id=45169657

A recent phishing attack on npm users was narrowly avoided, highlighting the vulnerabilities in the npm ecosystem and the need for better security measures. The discussion revolves around the attack, its implications, and potential solutions.

Snapshot generated from the HN discussion

Discussion Activity

Very active discussion

First comment

Peak period

110

0-6h

Avg / period

13.3

Comment distribution160 data points

Loading chart...

Based on 160 loaded comments

Key moments

01Story posted
Sep 9, 2025 at 11:11 AM EDT
4 months ago
Step 01
02First comment
Sep 9, 2025 at 11:13 AM EDT
2m after posting
Step 02
03Peak activity
110 comments in 0-6h
Hottest window of the conversation
Step 03
04Latest activity
Sep 12, 2025 at 8:46 PM EDT
4 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (484 comments)

Showing 160 comments of 484

duxup

4 months ago

3 replies

Is it possible to do the thing proposed in the email without clicking the link?

I just try to avoid clicking links in emails generally...

loloquwowndueo

4 months ago

3 replies

Should be - open another browser window and manually log into npm whatever, and update your 2fa there.

Definitely good practice .

Dilettante_

4 months ago

2 replies

This is the Way. To minimize attack surface, the senders of authentic messages should straight-up avoid putting links to "do the thing" in the message. Just tell the user to update their credentials via the website.

viraptor

4 months ago

2 replies

That's what the Australian Tax Office does. Just a plaintext message that's effectively "you've got a new message. Go to the website to read it."

duxup

4 months ago

2 replies

All my medical places I use do that, with the note that you can also use their app. Good system.

darthwalsh

4 months ago

Personally, I'd rather they put the HIPAA message content straight into the email, and let Gmail sort out the priority. About 90% "you have received a message" notifications are not actionable: "you made an appointment" or "take this survey nobody cares about."

foxglacier

4 months ago

Unfortunately, my doctor's office texts me their bank account number saying "please pay $75 to this account". It told them that's putting people at risk of phishing but they didn't care.

amysox

4 months ago

My doctor's office does the same thing. So do some financial services companies.

Roguelazer

4 months ago

For most users, that'll just result in them going to Google, searching for the name of your business, and then clicking the first link blindly. At that point you're trusting that there's no malicious actors squatting on your business name's keyword -- and if you're at all an interesting target, there's definitely malvertising targeting you.

The only real solution is to have domain-bound identities like passkeys.

hu3

4 months ago

That's what I always do. Never click these kinds of links in e-mail.

Always manually open the website.

This week Oracle Cloud started enforcing 2FA. And surely I didn't click their e-mail link to do that.

ares623

4 months ago

But won’t someone think of the friction? /s

My theory is that if that companies start using that workflow in the future, it’ll become even _easier_ for users to click a random link, because they’d go “wow! That’s so convenient now!”

0cf8612b2e1e

4 months ago

The Microsoft ecosystem certainly makes this challenging. At work, I get links to Sharepoint hosted things with infinitely long hexadecimal addresses. Otherwise finding resources on Sharepoint is impossible.

JohnFen

4 months ago

> I just try to avoid clicking links in emails generally...

I don't just generally try, I _never_ click links in emails from companies, period. It's too dangerous and not actually necessary. If a friend sends me a link, I'll confirm it with them directly before using it.

dsff3f3f3f

4 months ago

8 replies

> These kinds of dependencies are everywhere and nobody would even think that they could be harmful.

Tons of people think these kind of micro dependencies are harmful and many of them have been saying it for years.

SebastianKra

4 months ago

1 reply

Yeah, there's an entire community dedicated to cleaning up the js ecosystem.

https://e18e.dev/

Micro-dependencies are not the only thing that went wrong here, but hopefully this is a wakeup call to do some cleaning.

skydhash

4 months ago

Discord server? Is it that much work to create a forum or a mailing list with anonymous access. Especially with a community you can vet that easily?

balder1991

4 months ago

1 reply

Working for a bank did make me think much more about all the vulnerabilities that can go into certain tools. The company has a lot of bureaucracy to prevent installing anything or adding external dependencies.

benoau

4 months ago

1 reply

Working for a fintech and being responsible for the software made me very wary of dependencies and weeding out the deprecated and EOL'd stuff that had somehow already found its way into what was a young project when I joined. Left unrestrained, developers will add anything if it resolves their immediate needs like you could probably spread malware very well just by writing a fake-blog advocating a malicious module to solve certain scenarios.

esseph

4 months ago

> Left unrestrained, developers will add anything if it resolves their immediate needs

Absolutely. A lot of developers work on a large Enterprise app for years and then scoot off to a different project or company.

What's not fun is being the poor Ops staff that have to deal with supporting the library dependencies, JVM upgrades, etc for decades after.

stickfigure

4 months ago

2 replies

It wouldn't be a problem if there wasn't a culture of "just upgrade everything all the time" in the javascript ecosystem. We generally don't have this problem with Java libraries, because people pick versions and don't upgrade unless there's good reason.

ilvez

4 months ago

1 reply

From maintenance perspective both never and always seem like extremes though.

Upgrading when falling off the train is serious drawback on moving fast..

0xDEAFBEAD

4 months ago

Maybe we need two upgrade paths: An expedited auto-upgrade path which requires multi-key signoff from various trusted developers, and a standard upgrade path which is low-pressure.

jcelerier

4 months ago

and then you get Log4Shell

Groxx

4 months ago

4 replies

I'm rather convinced that the next major language-feature wave will be permissions for libraries. It's painfully clear that we're well past the point where it's needed.

I didn't think it'll make things perfect, not by a long shot. But it can make the exploits a lot harder to pull off.

crazygringo

4 months ago

3 replies

Totally agreed, and I'm surprised this idea hasn't become more mainstream yet.

If a package wants to access the filesystem, shell, OS API's, sockets, etc., those should be permissions you have to explicitly grant in your code.

mike_hearn

4 months ago

3 replies

It's harder than it looks. I wrote an essay exploring why here:

https://blog.plan99.net/why-not-capability-languages-a8e6cbd...

Groxx

4 months ago

1 reply

tbh none of that sounds particularly bad, nor do I think capabilities are necessary (but obviously useful).

we could literally just take Go and categorize on "imports risky package" and we'd have a better situation than we have now, and it would encourage library design that isolates those risky accesses so people don't worry about them being used. even that much should have been table stakes over a decade ago.

and like:

>No language has such an object or such interfaces in its standard library, and in fact “god objects” are viewed as violating good object oriented design.

sure they do. that's dependency injection, and you'd probably delegate it to a dependency injector (your god object) that resolves permissions. plus go already has an object for it that's passed almost everywhere: context.

perfect isn't necessary. what we have now very nearly everywhere is the most extreme example of "yolo", almost anything would be an improvement.

mike_hearn

4 months ago

1 reply

Yes, dependency injection can help although injectors don't have any understanding of whether an object really needs a dependency. But that's not a god object in the sense it's normally meant. For one, it's injecting different objects :)

Groxx

4 months ago

1 reply

to be clear, I mean that the DI container/whatever is "the god object" - it holds essentially every dependency and every piece of your own code, knows how to construct every single one, and knows what everything needs. it's the biggest and most complicatedly-intertwined thing in pretty much any application, and it works so well that people forget it exists or how it works, and carrying permission-objects through that on a library level would be literally trivial because all of them already do everything needed.

hence: doesn't sound too bad

"truly needs": currently, yes. but that seems like a fairly easy thing to address with library packaging systems and a language that supports that. static analysis and language design to support it can cover a lot (e.g. go is limited enough that you can handle some just from scanning imports), and "you can ask for something you don't use, it just means people are less likely to use your library" for the exceptions is hardly a problem compared to our current "you already have every permission and nobody knows it".

mike_hearn

4 months ago

Yes, I do agree that integration with DI is one way to make progress on this problem that hasn't been tried before.

ryukafalz

4 months ago

1 reply

Thanks, this was a good overview of some of the challenges involved with designing a capability language.

I think I need to read up more on how to deal with (avoiding) changes to your public APIs when doing dependency injection, because that seems like basically what you're doing in a capability-based module system. I feel like there has to be some way to make such a system more ergonomic and make the common case of e.g. "I just want to give this thing the ability to make any HTTP request" easy, while still allowing for flexibility if you want to lock that down more.

mike_hearn

4 months ago

In Java DI you can add dependencies without changing your public API using field injection. But really there needs to be a language with integrated DI. A lot of the pain of using DI comes from the way it's been strapped on the side.

crazygringo

4 months ago

Thanks, it's great to see all the issues you raise.

On the other hand, it seems about as hard as I was imagining. I take for granted that it has to be a new language -- you obviously can't add it on top of Python, for example. And obviously it isn't compatible with things like global monkeypatching.

But if a language's built-in functions are built around the idea from the ground up, it seems entirely feasible. Particularly if you make the limits entirely around permissions around data communication -- with disk, sockets, APIs, hardware like webcams and microphones, and "god" permissions like shell or exec commands -- and not about trying to merely constrain resource usage around things like CPU, memory, etc.

If a package is blowing up your memory or CPU, you'll catch it quickly and usually the worst it can do is make your service unavailable. The risk to focus on should be exclusively data access+exfiltration and external data modification, as far as I can tell. A package shouldn't be able to wipe your user folder or post program data to a URL at all unless you give it permission. Which means no filesystem or network calls, no shell access, no linked programs in other languages, etc.

int_19h

4 months ago

1 reply

This exact idea has already been mainstream. Both Java and .NET used to have mechanisms like that, e.g.: https://en.wikipedia.org/wiki/Code_Access_Security

Groxx

4 months ago

1 reply

"it exists as a niche feature that few use and fewer understand" isn't exactly "mainstream" IMO (it's significantly less common from what I've seen than manual classloader shenanigans, for example). But yes, it's nice that it exists, and I wish it were used more - it'd catch low-effort stuff like this one was.

darthwalsh

4 months ago

1 reply

No, C# had it: past tense. CAS was neutered in .NET Framework 4.0 then removed in dotnet core.

Groxx

4 months ago

1 reply

alas. don't suppose you know of any good articles on why it's removed? I'd be curious about the reasoning / challenges.

there are some rather obvious challenges, but a huge amount of the ones I've run across end up looking mostly like "it's hard to add to an existing language" which is extremely understandable, but hardly a blocker for new ones.

int_19h

4 months ago

I don't know if there were any articles specifically detailing it, but from blog posts at the time the clear message was that they didn't consider the intended security guarantees to be possible to uphold in practice, so much so that "CAS and appdomains shouldn't be considered a security boundary".

crdrost

4 months ago

This was one of Doug Crockford's big bugaboos since The Good Parts and JSLint and Yahoo days—the idea that lexical scope aka closures give you an unprecedented ability to actually control I/O because you can say

    function main(io) {
        const result = somethingThatRequiresHttp(io.fetch);
        // ...
    }

and as long as you don't put I/O in global scope (i.e. window.fetch) but do an injection into the main entrypoint, that entrypoint gets to control what everyone else can do. I could for example do

    function main(io) {
      const result = something(readonlyFetch(onlyOurAPI(io.fetch))
    }
    function onlyOurAPI(fetch) {
      return (...args) => {
        const test = /^https:\/\/api.mydomain.example\//.exec(args[0]);
        if (test == null) {
          throw new ValueError("must only communicate with our API");
        }
        return fetch(..args);
      }
    }
    function readonlyFetch(fetch) { /* similar but allowlist only GET/HEAD methods */ }

I vaguely remember him being really passionate about "JavaScript lets you do this, we should all program in JavaScript" at the time... these days he's much more likely to say "JavaScript doesn't have any way to force you to do this and close off all the exploits from the now-leaked global scope, we should never program in JavaScript."

Shoutout to Ryan Dahl and Deno, where you write `#!/usr/bin/env deno --allow-net=api.mydomain.example` at the start of your shell script to accomplish something similar.

In my amateur programming-conlang hobby that will probably never produce anything joyful to anyone other than me, one of those programming languages has a notion of sending messages to "message-spaces" and I shamelessly steal Doug's idea -- message-spaces have handles that you can use to communicate with them, your I/O is a message sent to your main m-space containing a bunch of handles, you can then pattern-match on that message and make a new handle for a new m-space, provisioned with a pattern-matcher that only listens for, say, HTTP GET/HEAD events directed at the API, and forwards only those to the I/O handle. So then when I give this new handle to someone, they have no way of knowing that it's not fully I/O capable, requests they make to the not-API just sit there blackholed until you get an alert "there are too many unread messages in this m-space" and peek in to see why.

gmueckl

4 months ago

2 replies

Java went down that road with the applet sandboxing. They thought that this would go well because the JVM can be a perfect gatekeeper on the code that gets to run and can see and stop all calls to forbidden methods.

It didn't go well. The JVM did it's part well, but they couldn't harden the library APIs. They ended up playing whack-a-mole with a steady stream of library bugs in privileged parts of the system libraries that allowed for sandbox escapes.

cjalmeida

4 months ago

1 reply

It was too complex. Just making system calls require white listing libraries goes a long way of preventing a whole class of exploits.

There’s no reason a color parser, or a date library should require network or file system access.

0xDEAFBEAD

4 months ago

The simplest approach to whitelisting libraries won't work, since the malicious color parser can just call the whitelisted library.

A different idea: Special stack frames such that while that frame is on the stack, certain syscalls are prohibited. These "sandbox frames" could be enabled by default for most library calls, or even used by developers to handle untrusted user input.

mike_hearn

4 months ago

Yes, but that was with a very ambitious sandbox that included full GUI access. Sandboxing a pure data transformation utility like something that strips ANSI escape codes would have been much easier for it.

bunderbunder

4 months ago

2 replies

Alternatively, I've long been wondering if automatic package management may have been a mistake. Its primary purpose seems to be to enable this kind of proliferation of micro-dependencies by effectively sweeping the management of these sprawling dependency graphs under the carpet. But the upshot of that is, most changes to your dependency graph, and by extension your primary vector for supply chain attacks, becomes something you're no longer really looking at.

Versus, when I've worked at places that eschew automatic dependency management, yes, there is some extra work associated with manually managing them. But it's honestly not that much. And in some ways it becomes a boon for maintainability because it encourages keeping your dependency graph pruned. That, in turn, reduces exposure to third-party software vulnerabilities and toil associated with responding to them.

JoshTriplett

4 months ago

2 replies

Manual dependency management without a package manager does not lead people to do more auditing.

And at least with a standardized package manager, the packages are in a standard format that makes them easier to analyze, audit, etc.

Groxx

4 months ago

1 reply

yea, just look at the state of many C projects. it's rather clearly worse in practice in aggregate.

should it be higher friction than npm? probably yes. a permissions system would inherently add a bit (leftpad includes 27 libraries which require permissions "internet" and "sudo", add? [y/N]) which would help a bit I think.

but I'm personally more optimistic about structured code and review signing, e.g. like cargo-crev: https://web.crev.dev/rust-reviews/ . there could be a market around "X group reviewed it and said it's fine", instead of the absolute chaos we have now outside of conservative linux distro packagers. there's practically no sharing of "lgtm" / "omfg no" knowledge at the moment, everyone has to do it themselves all the time and not miss anything or suffer the pain, and/or hope they can get the package manager hosts' attention fast enough.

bunderbunder

4 months ago

1 reply

C has a lot of characteristics beyond simple lack of a standard automatic package manager that complicate the situation.

The more interesting comparison to me is, for example, my experience on C# projects that do and do not use NuGet. Or even the overall C# ecosystem before and after NuGet got popular. Because then you're getting closer to just comparing life with and without a package manager, without all the extra confounding variables from differing language capabilities, business domains, development cultures, etc.

Groxx

4 months ago

1 reply

when I was doing C# pre-nuget we had an utterly absurd amount of libraries that nobody had checked and nobody ever upgraded. so... yeah I think it applies there too, at least from my experience.

I do agree that C is an especially-bad case for additional reasons though, yeah.

bunderbunder

4 months ago

1 reply

Gotcha. When I was, we actively curated our dependencies and maintaining them was a regularly scheduled task that one team member in particular was in charge of making sure got done.

Groxx

4 months ago

1 reply

most teams I've been around have zero or one person who handles that (because they're passionate) (this is usually me) - tbh I think that's probably the majority case.

exceptions totally exist, I've seen them too. I just don't think they're enough to move the median away from "total chaotic garbage" regardless of the system

bunderbunder

4 months ago

This is why I secretly hate the term software engineer. "Software tinker" would be more appropriate.

mikestorrent

4 months ago

1 reply

Well, consider that a lot of these functions that were exploited are simple things. We use a library to spare ourselves the drugdery of rewriting them, but now that we have AI, what's it to me if I end up with my own string-colouring functions for output in some file under my own control, vs. bringing in an external dependency that puts me on a permanent upgrade treadmill and opens the risk to supply chain attacks?

Leftpad as a library? Let it all burn down; but then, it's Javascript, it's always been on fire.

JoshTriplett

4 months ago

1 reply

> but now that we have AI, what's it to me if I end up with my own string-colouring functions for output in some file under my own control

Before AI code generation, we would have called that copy-and-paste, and a code smell compared to proper reuse of a library. It's not any better with AI. That's still code you'd have to maintain, and debug. And duplicated effort from all the other code doing the same thing, and not de-duplicated across the numerous libraries in a dependency tree or on a system, and not benefiting from multiple people collaborating on a common API, and not benefiting from skill transfer across projects...

mikestorrent

4 months ago

1 reply

> a code smell

Smells are changing, friend. Now, when I see a program with 20000 library dependencies that I have to feed into a SAST and SCA system and continually point-version-bump and rebuild, it smells a hell of a lot worse to me than something self-contained.

At this point, I feel like I can protect the latter from being exploited better than the former.

JoshTriplett

4 months ago

> At this point, I feel like I can protect the latter from being exploited better than the former.

I expect that your future CVEs will say otherwise. People outside your organization have seen those library dependencies, and can update them when they discover bugs or security issues, and you can automatically audit a codebase to make sure it's using a secure version of each dependency.

Bespoke AI-generated code will have bespoke bugs and bespoke security issues.

ryandrake

4 months ago

2 replies

Unpopular opinion these days, but: It should be painful to pull in a dependency. It should require work. It should require scrutiny, and deep understanding of the code you're pulling in. Adding a dependency is such an important decision that can have far reaching effects over your code: performance, security, privacy, quality/defects. You shouldn't be able to casually do it with a single command line.

skydhash

4 months ago

I wouldn’t go for painful that much. The main issue is transitive dependencies. The tree can be several layer deep.

In the C world, anything that is not direct is often a very stable library and can be brought in as a peer deps. Breaking changes happen less and you can resolve the tree manually.

In NPM, there are so many little packages that even renowned packages choose to rely one for no obvious reason. It’s a severe lack of discipline.

heisenbit

4 months ago

For better or worse it is often less work to create a dependency than to maintain it over its lifetime. Improvements in maintenance also ease creation of new dependencies.

mbrevda1

4 months ago

yup, here is node's docs for it (WIP): https://nodejs.org/api/permissions.html

procaryote

4 months ago

1 reply

I've nixed javascript in the backend in several places, partly because of the weird culture around dependencies. Having to audit that for compliance, or keeping it actually secure, is a nightmare.

Nixing javascript in the frontend is a harder sell, sadly

christophilus

4 months ago

1 reply

What did you switch to instead? I used to be a C# dev, and have done my fair share of Go. Both of those have decent enough standard libraries that I never found myself with a large 3rd party dependency tree.

Ruby, Python, and Clojure, though? They weren’t any better than my npm projects, being roughly the same order of magnitude. Same seems to be true for Rust.

procaryote

4 months ago

You can get pretty far in python without a lot of dependencies, and the dependencies you do need tend to be more substantial blocks of functionality. Much easier to keep the tree small than npm.

Same with Java, if you avoid springboot and similar everything frameworks, which admittedly is a bit of an uphill battle given the state of java developers.

You can of course also keep dependencies small in javascript, but it's a very uphill fight where you'll have just a few options and most people you hire are used to including a library (that includes 10 libraries) to not have to so something like `if (x % 2 == 1)`

Just started with golang... the language is a bit annoying but the dependency culture seems OK

amarant

4 months ago

Throwback to leftpad!

Hey that was also on NPM iirc!

anonzzzies

4 months ago

Yes. It is a bit painful this is not rather obvious by now. But I do have, every code review, whine about people who just include trivial outdated one function npms :(

amysox

4 months ago

What I'd like to know is why anyone thinks it's a good idea to have this level of granularity in libraries? Seriously? A library that only contains "a utility function that determines if its argument can be used like an array"? That's a lot of overhead in dependency management, which translates into a lot of cognitive load. Sooner or later, something's going to snap...and something did, here.

ivape

4 months ago

2 replies

Dat domain name.

Yeah, stop those cute domain names. I never got the memo on Youtu.be, I just had “learn” it was okay. Of course people started to let their guard down because dumbasses started to get cute.

We all did dodge a bullet because we’ve been installing stuff from NPM with reckless abandon for awhile.

Can anyone give me a reason why this wouldn’t happen in other ecosystems like Python, because I really don’t feel comfortable if I’m scared to download the most basic of packages. Everything is trust.

1-more

4 months ago

1 reply

of all people my mortgage servicer is the worst about this. Your login is valid on like 3 different top level domains and you get bounced between them when you sign in, eventually going from servicer.com to myservicer.com to servicer.otherthing.com! It's as though they were training you to not care about domain names.

wzamqo

4 months ago

1 reply

Paying US taxes online is just as bad. The official way to pay tax balances with a debit card online is to use officialpayments[.]com. This is what the IRS advises you to use. Our industry is a clown factory.

LorenDB

4 months ago

Wells Fargo apparently emails from epay@onlinemyaccounts[.]com.

jvdvegt

4 months ago

1 reply

What about aka.ms, which is a valid domain for Microsoft. Why didn't they use microsoft.com, or windows.com? I always wonder if this aka is short for 'also known as'.

dymk

4 months ago

They use that domain name because it’s used for short links

Mystery-Machine

4 months ago

5 replies

Always use password manager to automatically fill in your credentials. If password manager doesn't find your credentials, check the domain. On top of that, you can always go directly to the website, to make any needed changes there, without following the link.

Analemma_

4 months ago

1 reply

I don't think this really helps. I use Bitwarden and it constantly fails to autofill legitimate websites and makes me go to the app to copy-paste, because companies do all kinds of crap with subdomains, marketing domains, etc. Any safeguard relying on human attention is ultimately susceptible to this; the only true solutions are things like passkeys where human fuckups are impossible by design and they can't give credentials to the wrong place even if they want to.

Passkeys are disruptive enough that I don't think they need to be mandated for everyone just yet, but I think it might be time for that for people who own critical dependencies.

teekert

4 months ago

It's a pita but BitWarden has quite some flexibility in filtering where what gets autofilled. I agree the defaults are pretty shit and indeed lead to constant copy-pasting. On the other hand, it will offer all my password all the time for all my selfhosted stuff on my 1 server.

dewey

4 months ago

2 replies

Password managers are still too unreliable to auto-fill everywhere all the time, and manually having to copy paste something from the password manager happens regularly so it's not something that feels unusual if it doesn't auto-fill it for some reason.

zargon

4 months ago

I put the fault on companies for making their login processes so convoluted. If you take the time to do it, you can usually configure the password manager to work (we shouldn’t have to make the effort). But even if you do, then the company will at some point change something about their login processes and break it.

nilslindemann

4 months ago

Indeed. I have to fill in my TOTP manually on Lichess and on tutanota.com. On proton.me sometimes. On other sites it always works, e.g. GitHub.

esseph

4 months ago

1 reply

> Always use password manager to automatically fill in your credentials

Absolutely not.

https://www.malwarebytes.com/blog/news/2025/08/clickjack-att...

https://thehackernews.com/2025/08/dom-based-extension-clickj...

https://www.intercede.com/the-dangers-of-password-autofill-a...

darthwalsh

4 months ago

1 reply

What's more likely, the real npm site has a subdomain with XSS (IIRC the issue you linked) or you are manually filling your password into a phishing site?

There's strong evidence that the latter is a more common concern.

esseph

4 months ago

What I'm saying is that autofill is a current method of credential extraction that should be avoided.

You don't have to believe me, read the links.

teekert

4 months ago

Better yet, use password manager as the store of the valid domain and click there to go to resource.

fragmede

4 months ago

what do you mean bankofamericaabuse.com isn't a real website!? It's in the email and everything! The nice guy on the phone said it was legit...

Havoc

4 months ago

3 replies

Really feels like these big open packages repos need a better security solution. Or at least a core subset of carefully vetted ones.

Same issue with python, rust etc. It’s all very trust driven

lpln3452

4 months ago

2 replies

In a case like this, the package maintainer's account itself has been hacked, so I'm not sure if that would be meaningful.

The only solution would be to prevent all releases from being applied immediately.

dherls

4 months ago

2 replies

A solution could be enforcing hardware keys for 2FA for all maintainers if a package has more than XX thousand weekly downloads.

No hardware keys, no new releases.

winkelmann

4 months ago

Crucially, it would have to be set up so they need to use the hardware key when pushing any changes. Just requiring a hardware key as a login method does nothing to protect against token stealing, which I believe is the most common form of supply chain attack right now.

ozim

4 months ago

Passkeys - no need for hardware key.

They have it implemented.

I created NPM account today and added passkey from my laptop and hardware key as secondary. As I have it configured it asked my for it while publishing my test package.

So the guy either had TOTP or just the pw.

Seems like should be easy to implement enforcement.

dsff3f3f3f

4 months ago

There needs to be a massive push from the larger important packages to eliminate these idiotic transitive dependencies. Core infrastructure shouldn't rely on trivial packages maintained by a single random person from who knows where that can push updates without review. It's absolutely insane.

cgh

4 months ago

1 reply

Is the fundamental problem with npm still a lack of enforced namespacing?

In the Java world, I know there’s been griping from mostly juniors re “why isn’t Maven easy like npm?” (I work with some of these people). I point them to this article: https://www.sonatype.com/blog/why-namespacing-matters-in-pub...

Maven got a lot of things right back in the day. Yes POM files are in xml and we all know xml sucks etc, but aside from that the stodgy focus on robustness and carefully considered change gets more impressive all the time.

hyperpape

4 months ago

1 reply

Nothing about this attack would be solved by namespacing, but it might have been solved by maven's use of GPG keys.

zenmac

4 months ago

isn't time NPM start to use that? Why has this taken soo long?

ozim

4 months ago

2 replies

Linux distributions packages are also very trust driven — but you have to earn trust to publish. Then there is whole system to verify trust. NPM is more like „everything goes”.

euLh7SM5HDFY

4 months ago

The sheer volume is the issue. Recent XZ backdoor shows it can happen to everyone. I am pretty sure JS has most packages, updates and contributors - and it makes it the best ecosystem to target. That anemic standard library doesn't help of course, but 2FA and package signing is required for all package repositories, here and now.

johnny22

4 months ago

It woudl'nt have solved this, because this publisher would have been trusted.

_fat_santa

4 months ago

9 replies

I know this isn't really possible for smaller guys but larger players (like NPM) really should buy up all the TLD versions of "npm" (that is: npm.io, npm.sh, npm.help, etc). One of the reasons this was so effective is that the attacker managed to snap up "npm.help"

VectorLock

4 months ago

1 reply

There's like 1500 TLDs, now some of them are restricted and country-code TLDs but now it makes me wonder how much it would actual cost per year to maintain registration of every non-restricted TLD. I'm sure theres some SaaS company that'll do it.

saghm

4 months ago

2 replies

OTOH, doesn't ICANN already sometimes restrict who has access to a given TLD? Would it really be that crazy for them to say "maybe we shouldn't let registrars sell npm.<TLD> regardless of the TLD", and likewise for a couple dozen of the most obvious targets (google., amazon., etc.)? No one needs to pay for these domains if no one is selling them in the first place. I don't love the idea of special treatment for giant companies in terms of domains, but we're already kind of there with the whole process they did when initially allowing companies to compete for exclusive access to TLDs, so we might as well use that process for something actually useful (unlike, say, letting companies apply for exclusive ownership of ".music" and have a whole legal process to determine that maybe that isn't actually beneficial for the internet as whole: https://en.wikipedia.org/wiki/.music)

ohdeargodno

4 months ago

2 replies

>maybe we shouldn't let registrars sell npm.<TLD> regardless of the TLD

Cool, get big enough, become friends with the right people and you can squat an entire name on the internet. What, you're the Nepalese Party for Marxists, you've existed for 70 years and you want to buy npm.np ? Nope, tough luck, some random dude pushes shitty javascript packages over there. Sorry for the existing npm.org address too, we're going to expropriate the National Association of Pastoral Musicians. Dare I remind you that the whole left-pad situation was because Kik, the company, stole (with NPM's assistance because they were big enough and friends with the right people) the kik package ?

At least they're paying dozens of millions to buy a shitty ass .google that noone cares about because more and more browsers are hiding the URL bar. I'm glad ICANN can use it to buy drinks, hookers instead of being useful.

saghm

4 months ago

> Cool, get big enough, become friends with the right people and you can squat an entire name on the internet. What, you're the Nepalese Party for Marxists, you've existed for 70 years and you want to buy npm.np ?

I think you and I have drastically different ideas about how dramatic a response is warranted by the scenario of needing to buy a domain with a different three letters or maybe even four or more letters before the TLD.

> Dare I remind you that the whole left-pad situation was because Kik, the company, stole (with NPM's assistance because they were big enough and friends with the right people) the kik package ?

...and then the package was entirely removed, which would have been preventable by sane policies around making removal just not allow new dependencies to use it. You're also conflating a resource that's ostensibly free and perpetual for people to claim with one that's only rented for fixed periods of time for money.

jjani

4 months ago

> Dare I remind you that the whole left-pad situation was because Kik, the company, stole (with NPM's assistance because they were big enough and friends with the right people) the kik package ?

And then never even did anything with it.

VectorLock

4 months ago

The TLDs run the whole gamut from completely open to almost impossible to get.

IncreasePosts

4 months ago

1 reply

That seems like a bad idea compared to just having a canonical domain - people might become used to seeing "npm.<whatever>" and assuming it is legit. And then all it takes is one new TLD where NPM is a little late registering for someone to do something nefarious with the domain.

macintux

4 months ago

1 reply

Just because you buy them doesn't mean that you have to use them. Squatting on them is no more harmful (except financially) than leaving them available for potentially hostile 3rd parties.

IncreasePosts

4 months ago

1 reply

Sure, I guess buying up every npm.* you can find and then having a message "never use this, only use npm.com" could work. I thought OP was saying have every npm.* site be a mirror of the canonical site

barnas2

4 months ago

Looks like it costs ~$200,000 to get your own TLD. If a bunch of companies started doing the "register every TLD of our brand", I wonder what the breakeven point would be where just registering a TLD is profitable.

quectophoton

4 months ago

2 replies

Then you have companies like AWS, they were sending invoices from `no-reply-aws@amazon.com` but last month they changed it to `no-reply@tax-and-invoicing.us-east-1.amazonaws.com`.

That looks like a phishing attempt from someone using a random EC2 instance or something, but apparently it's legit. I think. Even the "heads-up" email they sent beforehand looked like phishing, so I was waiting for the actual invoice to see if they really started using that address, but even now I'm not opening these attached PDFs.

These companies tell customers to be suspicious of phishing attempts, and then they pull these stunts.

simoncion

4 months ago

3 replies

> These companies tell customers to be suspicious of phishing attempts, and then they pull these stunts.

Yep. At every BigCo I've worked at, nearly all of the emails from Corporate have been indistinguishable from phishing. Sometimes, they're actual spam!

Do the executives and directors responsible for sending these messages care? No. They never do, and get super defensive and self-righteous when you show them exactly how their precious emails tick every "This message is phishing!" box in the mandatory annual phishing-detection-and-resistance training.

cyphar

4 months ago

4 replies

A few years ago our annual corporate phishing training was initiated by an email sent from a random address asking us to log in with our internal credentials on a random website.

A week later some executive pushing the training emailed the entire company saying that it was unacceptable that nobody from engineering had logged into the training site and spun some story about regulatory requirements. After lots of back and forth they still wouldn't accept that it obviously looked like a phishing email.

Eventually when we actually did the training, it literally told us to check the From address of emails. I sometimes wonder if it was some weird kind of performance art.

ornornor

4 months ago

1 reply

It’s all just box ticking and CYA compliance.

“We got pwned but the entire company went through a certified phishing awareness program and we have a DPI firewall. Nothing more we could have done, we’re not liable.”

cyphar

4 months ago

1 reply

I agree, but I really wonder where on earth they find these people.

simoncion

4 months ago

If you're talking about the companies who provide the "training", either they're the lowest bidder, closely linked to someone who is buddies with someone important in the company [0], or both.

[0] ...so the payments serve the social function of enriching your buddy and improving your status in the whole favor economy thing...

lovich

4 months ago

1 reply

If Kevin mitnick shows up or is referenced then I’m pretty sure it’s performance art

cyphar

4 months ago

1 reply

If only, it would've been an honour to get phished by Mitnick. Rest in peace...

lovich

4 months ago

Years of useless knowB4 trainings with him in the video have given me a twitch whenever I hear him referenced

apple1417

4 months ago

1 reply

I once got a "log into phishing training" email which spoofed the company address. No one even saw the email, it instantly hit the spam filter.

Our infra guy then had to argue with them for quite a while to just email from their own domain, and that no, we're weren't going to add their cert to our DNS, and let a third party spoof us (or however that works, idk). Absolutely shocking lack of self awareness.

darthwalsh

4 months ago

When they send out the phishing-simulation email campaign from the "compromised insider account" it's going to fool a lot more people!

wiseleo

4 months ago

I can't pass phishing training on my first try because it often has bad advice as answers they are convinced are correct. Reading headers is one of such gems.

mhh__

4 months ago

Yielding to anything you say is a no-no because part of the deal is that you, as a geek, must bend over to their unilateral veto over everything in the company

Macha

4 months ago

I remember an email I once got.

Title: "Expense report overdue - Please fill now"

Subject:

---

So like, obviously this is a stupid phishing email, right? Especially as at this time, I had not used my corporate card.

A few weeks later I got the finance team reaching out threatening to cancel my corporate card because I had charges on it with no corresponding expense report filed.

So on checking the charge history for the corporate card, it was the annual tax payment that all cards are charged in my country every year, and finance should have been well aware of. Of course, then the expense system initially rejected my report because I couldn't provide a receipt, as the card provider automatically deducts this charge with no manual action on the card owner's side...

charlieyu1

4 months ago

1 reply

I thought facebookmail.com was fake. No, it is actually legit

jowea

4 months ago

Is that for user email? I think that is semi-understandable as Facebook wouldn't want to mix their authority with that of the users, like github.com vs github.io.

Edit: nvm it seems it's not the case

jacobsenscott

4 months ago

1 reply

This won't work - npm.* npmjs.* npmjs-help.* npm-help.* node.* js.* npmpackage.*. The list is endless.

You can't protect against people clicking links in emails in this way. You might say `npmjs-help.ph` is a phishy domain, but npmjs.help is a phishy domain and people clicked it anyway.

eddythompson80

4 months ago

there is also the more recent style of phising domains that look like healthcare.gov-profile.co/user

karmakaze

4 months ago

3 replies

First thing I do is check any domain that I don't recognize as official.

  Domain: NPMJS.HELP (85 similar domains)
  Registrar: Porkbun, LLC (4.84 million domains)
  Query Time: 8 Sep 2025 - 4:14 PM UTC  [1 DAY BACK] [REFRESH]

  Registered: 5th September 2025  [4 days back]
  Expiry: 5th September 2026  [11 months, 25 days left]

I'd be suspicious of anything registered with Porkbun discount registrar. 4 days ago, means it's fake.

> It sets a deadline a few days in the future. This creates a sense of urgency, and when you combine urgency with being rushed by life, you are much more likely to fall for the phishing link.

Any time I feel like I'm being rushed, I check deeper. It would help if everyone's official communications only came from the most well known domain (or subdomain).

jakubmazanec

4 months ago

> 4 days ago, means it's fake.

Heuristics like this one should be performed automatically by the email client.

jjani

4 months ago

GoDaddy is in every way a much shadier company yet half the internet is hosted on top of it, would you be okay with them being used? Come on now.

galaxy_gas

4 months ago

while other is reasonable, Porkbun is not "discount" registrar. They often more expensive, and on addition of that, they run quite a number of TLDs

osmsucks

4 months ago

There are way too many TLDs for this to be even practical: https://data.iana.org/TLD/tlds-alpha-by-domain.txt

I agree that especially larger players should be proactive and register all similar-sounding TLDs to mitigate such phishing attacks, but they can't be outright prevented this way.

croemer

4 months ago

npmjs.help not npm.help - the typo is also in the article.

ozim

4 months ago

That’s like insane proportion.

joe_the_user

4 months ago

I don't think that particular measure would help but NPM are the people who brought us the LPad crisis and their wikipedia page has a long string of security failures mentioned on it. Given this, it seems likely their attitude is "we don't care, we don't have to" and their relative success as the world's largest package manager seems to echo that (not that I have any idea whether they make any money).

SirFatty

4 months ago

3 replies

It's typical phishing email... and if the author when though any type of cybersecurity training, they would see that the email wasn't that great.

The sense of urgency is always the red flag.

zaphar

4 months ago

1 reply

I go through those trainings several times a year. That email is as close to perfect for a phishing email as I've ever seen.

kiitos

4 months ago

1 reply

the link in the email went to an obviously invalid domain, hovering the mouse cursor over the link in the email would have made this immediately clear, so even clicking that link should have never happened in the first place. red flag 1

but, ok, you click the link, you get a new tab, and you're asked to fill in your auth credentials. but why? you should already be logged in to that service in your default browser, no? red flag 2

ok, maybe there is some browser cache issue, whatever, so you trigger your password manager to provide your auth to the website -- but here, every single password manager would immediately notice that the domain in the browser does not match the domain associated with the auth creds, and either refuse to paste the creds thru, or at an absolute minimum throw up a big honkin' alert that something is amiss, which you'd need to explicitly click an "ignore" button to get past. red flag 3

nobody should be able to publish new versions of widely-used software without some kind of manual review/oversight in the first place, but even ignoring that, if someone does have that power, and they get pwned by an attack like this, with at least 3 clear red flags that they would need to have explicitly ignored/bypassed, then CLEARLY this person cannot keep their current position of authority

junon

4 months ago

1 reply

> the link in the email went to an obviously invalid domain, hovering the mouse cursor over the link in the email would have made this immediately clear, so even clicking that link should have never happened in the first place. red flag 1

The link went to the same domain as the From address. The URL scheme was 1:1 identical to the real npm's.

> but, ok, you click the link, you get a new tab, and you're asked to fill in your auth credentials. but why? you should already be logged in to that service in your default browser, no? red flag 2

Why wouldn't I be? I don't stay logged into npm at all.

kiitos

4 months ago

1 reply

huh?

the from: address in every email is an arbitrary and unverified text string that the sender provides, anyone can send an email to anyone else and specify a from: president@whitehouse.gov and that's how it will show up to the recipient

what do you mean by the URL scheme? a URL scheme is the http or https part of it? and for sure the host part of the URL was not the same as the real npm's host part of their URL?

i'm not sure what this comment is trying to accomplish, it parses as FUD

junon

4 months ago

1 reply

> the from: address in every email is an arbitrary and unverified text string that the sender provides

DKIM et al came back clean.

As for URL scheme, I mean the format and layout of URLs - because it was an MITM attack, they matched 1:1.

kiitos

4 months ago

1 reply

how did you evaluate the sender address via DKIM to get "clean" response? I mean I know there are methods to verify stuff about a received email, DKIM by itself only handles message integrity and not sender details, for that you need to fold in DMARC -- but there are all WILDLY technical details that are certainly not what anyone is gonna do before clicking a link in a message body

> As for URL scheme, I mean the format and layout of URLs - because it was an MITM attack, they matched 1:1.

"scheme" is a well-defined domain term that refers to the e.g. `https://` part of a URL/URI -- but that aside, I still don't get what you're saying here? what is "format and layout of URLs" and how does that relate to "mitm attack"?

to cut to the chase, a malicious email maybe contains a link, to a URL, that a victim can click on. but if that link says it goes to `https://npm.org` then it actually does go to `https://npm.org` and there isn't like any special secret way for an email to hijack or mitm that domain or URL resolution. if the link is actually `https://npn.org` then that's a totally different thing, it's not a mitm attack, there is no concept of "format or layout" of that totally different URL "matching 1:1" with `https://npm.org` -- unless you're talking about something totally different to what I'm understanding?

edit: wait are we talking about an email sent from a domain `npmjs.help`? DKIM and DMARC and URL scheme validation don't even enter the picture here, this was no kind of mitm attack by any definition -- "npmjs.help" is clear-as-day a malicious domain, and any email from it a clear-as-day phishing attempt.. ! it's fine, we're all human and etc. but it just underscores the issue here being minimizing blast radius of failures, and not anything related to any specific user/human

junon

4 months ago

1 reply

I think you are missing a lot of information I've posted elsewhere in this thread and the original HN post. I didn't minimize anything; I would hope most agree that if anything I've maximized the message as much as I possibly could to prevent further damage.

1. My email client does the validation of certain integrity and security checks and shows a checkmark next to senders that pass. Since npmjs.help was a domain legitimately owned by the attackers, it passed.

2. The link in the email lead to their site at the same domain, most likely performing a MITM between my browser and npm's official servers.

3. You're arguing semantics about "scheme". Please try to understand what I'm attempting to convey: The URLs appeared to match the official npm's site. There was no <a href> trickery. Once I had it in my head (erroneously) that .help was fine, nothing else about the attack stood out as suspicious when it came to the URL or domains.

4. Emails themselves are not MITM attacks, no. I didn't respond to an email with my credentials. I would never do that. But that isn't what I've ever claimed to have happened.

5. The URLs being similar or identical to npm's isn't how they technically achieved the MITM. The URLs being similar was to avoid arousing suspicion.

Hopefully that's explanatory enough.

kiitos

4 months ago

> The URLs appeared to match the official npm's site.

The domain "npmjs.help" is pretty clearly malicious at a glance, just from the ".help" TLD alone, but yeah as you say

> Once I had it in my head (erroneously) that .help was fine, nothing else about the attack stood out as suspicious when it came to the URL or domains.

well except that presumably you clicked on a npmjs.help link and the new tab ended up at npmjs.com? but yeah it's a tough break, don't mean to needle you, hopefully learning experience

small_scombrus

4 months ago

> the email wasn't that great

It was obviously good enough.

Snark aside, you only need to trick one person once and you've won.

singulasar

4 months ago

I think it's quite good, there's a sense of urgency, but it's also not "immediately change it!" they gave more than a day, and stated that it would be a temporary lock. Feel like this one really hit the spot on that aspect.

You should still never click a link in an email like this, but the urgency factor is well done here

scotty79

4 months ago

5 replies

Is there a tool that you can put between your npm client and npm web servers that serves package versions that are month old and possibly also tracks discovered malware and never serves infected versions?

JackFr

4 months ago

1 reply

Artifactory. Nexus. I believe AWS/GCP/Azure have offerings.

No bank, and almost no large corporations go directly to artifact/package repos. They all host them internally.

darthwalsh

4 months ago

Yes, but the public npmjs repository also blocks our corporate IP addresses, so our CI/CD pipelines can't ruin npm for everybody else.

lovehashbrowns

4 months ago

I'm looking at Verdaccio currently, since Artifactory is expensive and I think the CE version still only supports C++. Does anyone have any experience with Verdaccio?

balder1991

4 months ago

Something like this? https://jfrog.com/artifactory/

mikebelanger

4 months ago

Artifactory works fairly well. Although admittedly, when a user grabs a new dependency, they're downloading from the npmjs registry like anyone else.

Really, the killer combo would be to have some kind of LLM-based tool that would scan someone's artifactory. Something smart enough to notice that code changed, and there's code for accessing a crypto-wallet, etc. This would be too expensive for npmjs to host for free, but I could see this happen to hosted artifactory dependencies.

singulasar

4 months ago

the company that first found this vulnerability also has a tool for this https://www.npmjs.com/package/@aikidosec/safe-chain

mikewarot

4 months ago

3 replies

>Saved by procrastination!

Seriously, this is one of my key survival mechanisms. By the time I became system administrator for a small services company, I had learned to let other people beta test things. We ran Microsoft Office 2000 for 12 years, and saved soooo many upgrade headaches. We had a decade without the need to retrain.

That, and like other have said... never clicking links in emails.

RedShift1

4 months ago

1 reply

I'll reply to you tomorrow

TYPE_FASTER

4 months ago

...by then it might be working again anyway, or the user figured out what they were doing wrong.

"Hey, is it still broken? No? Great!"

nottorp

4 months ago

2 replies

Not in the "npm ecosystem". You're hopelessly behind there if you haven't updated in the last 54 seconds.

ohdeargodno

4 months ago

1 reply

Sorry, the "npm ecosystem" command has been deprecated. You can instead use npm environment (or npm under-your-keyboard because we helpfully decided it should autocorrect and be an alias)

efilife

4 months ago

this seems to be a clever joke. sad to see it dead

ainiriand

4 months ago

Well in this case it makes sense to update fast isn't it?

blamestross

4 months ago

1 reply

"Just wait 2 weeks to use new versions by default" is an amazing defense method against supply chain attacks.

kevinrineer

4 months ago