This 2FA phishing scam pwned a developer - and endangered billions of npm downloads

Elyse Betters Picaro / ZDNET Follow ZDNET: Add us as a preferred source on Google. ZDNET's key takeaways A phishing email was at the heart of the attack. NPM team quickly removed backdoored versions. 18 packages hit, with 2B+ downloads every week. A new digital supply chain attack has targeted popular open-source npm packages with at least two billion downloads per week. 'I've been pwned' On Sept. 8, Josh Junon, a package maintainer whose account was at the center of the attack, revealed that a sophisticated phishing attack was to blame, impacting npm packages linked to his account. Also known as qix, Junon said, "I've been pwned. 2FA reset email, looked very legitimate." Also: Clicked on a phishing link? 7 steps to take immediately to protect your accounts In a Bluesky thread, the developer added that the phishing email originated from a domain impersonating the legitimate npmjs[.]com domain, and the only indicator of fraud was the use of ".help" in the "support[at]npmjs[dot]help" phishing email. The email in question claimed to be a security notice, warning users that unless they updated their two-factor authentication (2FA) credentials, their accounts would be temporarily locked starting Sept.10. On Hacker News, Junon said he logged into the fake website with a TOTP code while on mobile. "The email was a '2FA update' email telling me it's been 12 months since I updated 2FA. That should have been a red flag, but I've seen similarly dumb things coming from well-intentioned sites before," Junon commented. "Since npm has historically been in contact about new security enhancements, this didn't smell particularly unbelievable to my nose. The email went to the npm-specific inbox, which is another way I can verify them." Also: I clicked on four sneaky online scams on purpose - to show you how they work They phished username, password (unique to npm), and a TOTP code. They even gave me a new TOTP code to install (lol), and it worked. Showed up in Authy fine. Whoever made this put a ton of effort into it." Josh Junon via Imgur Malicious updates added to npm packages Aikido Security researchers published a blog post outlining the incident, in which malicious updates were added to npm packages and pushed Monday at around 13:16 UTC. In total, it is believed that 18 npm packages were compromised in the attack, including chalk, debug, ansi-styles, color-string, and simple-swizzle. These packages alone accounted for approximately 1.1 billion downloads last week. Node Package Manager (npm) is a package manager for JavaScript's Node.js, allowing code to be freely downloaded, installed, and shared by the open source developer community. Also: What is vishing? Voice phishing is surging - expert tips on how to spot it and stop it "The packages were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user," the researchers said. According to the team, the index.js file in these packages was modified with malicious code, obfuscated to hide a browser-based interceptor. Furthermore, a WHOIS lookup of the phishing domain, npmjs[.]help, shows it was registered only last week. When Aikido reached out to Junon to make him aware of the security incident, he began cleaning up the packages before access to his account was revoked, although it has since been restored. The npm team said in an update that all impacted packages have now been revoked. Other maintainers have been affected In a footnote to its blog post, Aikido Security said another maintainer was targeted, which could indicate that we are yet to see the end of this digital supply chain attack campaign -- a prospect shared by Junon, who has said that other maintainers have also been impacted, but no further information has been disclosed at this time. Also: Got a suspicious Amazon refund text? Don't click the link - it's a scam "Other maintainers have been affected," Junon says. "Stay vigilant."