"In a Bluesky , the developer added that the phishing email originated from a domain impersonating the legitimate npmjs[.]com domain, and the only indicator of fraud was the use of ".help" in the "support[at]npmjs[dot]help" email. The email in question claimed to be a security notice, warning users that unless they updated their two-factor authentication (2FA) credentials, their accounts would be temporarily locked starting Sept.10."
""The email was a '2FA update' email telling me it's been 12 months since I updated 2FA. That should have been a red flag, but I've seen similarly dumb things coming from well-intentioned sites before," Junon commented. "Since npm has historically been in contact about new security enhancements, this didn't smell particularly unbelievable to my nose. The email went to the npm-specific inbox, which is another way I can verify them.""
A phishing email impersonating npmjs[.]com used support[at]npmjs[dot]help and .help as the sole fraud indicator, claiming a required two-factor authentication (2FA) update and threatening account locks starting Sept.10. The campaign harvested npm usernames, unique passwords, and TOTP codes, and attackers even supplied a new TOTP code that installed successfully in Authy. Malicious updates were pushed into at least 18 popular open-source npm packages that collectively receive over two billion downloads per week. The npm team rapidly removed the backdoored versions. The intrusion demonstrates a targeted digital supply chain attack leveraging social engineering against maintainers.
Read at ZDNET
Unable to calculate read time
Collection
[
|
...
]