We all dodged a bullet

Posted by WhyNotHugo 4 days ago

Related: NPM debug and chalk packages compromised - https://news.ycombinator.com/item?id=45169657

822 points | 483 commentspage 5

YeGoblynQueenne 3 days ago|

>> It sets a deadline a few days in the future. This creates a sense of urgency, and when you combine urgency with being rushed by life, you are much more likely to fall for the phishing link.

Procrastination is a security strategy.

kitd 3 days ago|

When we do the phishing awareness training at $WORK, we are told any sense of urgency is suspicious, especially from an established org. Most would give you at least a month before something as draconian as locking your account.

frabjoused 3 days ago||

I wrote the first commit for slice-ansi in 2015 to solve a baby problem for a cli framework I was building, and worked with Qix a little on the chalk org after it. It's wild looking back and seeing how these things creep in influence over time.

junon 3 days ago|

Didn't expect things to grow how they have, that's for sure! Hope you've been well :)

mrbluecoat 4 days ago||

Does the Go ecosystem have a similar security screening process as NPM? This was caught because a company was monitoring a centralized packaging distribution platform, but I worry about all those golang modules spread across GitHub without oversight..

quectophoton 4 days ago|

This page has a short explanation of the default way in which Go downloads modules, with links for more details: https://sum.golang.org/

mrbluecoat 3 days ago||

Thanks. It took a little more digging from that link but I eventually found https://go.dev/doc/security/vuln/#vulnerability-detection-fo...

quectophoton 3 days ago||

Right, my bad, seems like I misunderstood the question. Glad you could still find an answer.

For more context on why I thought that link would have been helpful: In Go you download dependencies "straight" from the source[1], while in npm and other languages you download dependencies from a completely unrelated registry that can have any random code (i.e. whether the published artifact was built from the alleged source repository, is a flip of a coin).

So not having this kind of third party registry eliminates the point of failure that caused the issue commented in the article. The issue was caught because of a centralized place, yes, but it was also caused because npm dependencies are downloaded from a centralized place and because this centralized place only hosts artifacts unrelated to the source code itself; package authors can `npm publish` artifacts containing the exact source code from their repos if they want though. If.

With Go, having a mirror of the source code is still third party infra, but is more an optimization than anything else, and checksums are generated based on the source itself[2] (rather than any unrelated artifact). This checksum should match even for people not using any proxy, so if you serve different code to someone, there will be a mismatch between the checksum of the downloaded module and the checksum from the SumDB. This should catch force-pushes done to a git repository version tag, for example.

Also, Go downloads the minimum version that satisfies packages, so it's less likely that you'll download a (semver) "patch" release that someone pushed hours ago.

All this makes me both like and dislike how Go handles dependencies.

[1]: Well, from a mirror, unless you set `GOPROXY=direct`. Reasoning explained in next paragraph.

[2]: The checksum is calculated from a zip file, but it is generated in a deterministic way, and this checksum is also generated and validated locally when you download dependencies. More info at https://go.dev/ref/mod#zip-files and https://go.dev/ref/mod#go-mod-verify

m463 3 days ago||

Would recommend less click-baity: "NPM attack - we all dodged a bullet"

amradio1989 4 days ago||

Great write up. I can understand the indignation at the exploit, but I believe it’s an A+ exploit for the chosen attack vector.

Not only is it “proof of concept” but it’s a low risk high reward play. It’s brilliant really. Dangerously so.

leoc 4 days ago||

> Even then, that wouldn't really stand out to me because I've seen companies use new generic top level domains to separate out things like the blog at .blog or the docs at .guide, not to mention the .new stack.

This is very much a 'can we please not' situation, isn't it? (Obviously it's not something that the email recipients can (usually) control, so it's not a criticism of them.) It also has to meaningfully increase the chance that someone will eventually forget to renew a domain, too.

NoahZuniga 4 days ago||

Facebook sends legit account secuirty emails from facebookmail.com. Horrible.

leoc 3 days ago||

For a company that is otherwise quite serious about security nowadays, MS seems to be the champion of this. Say hello to live.com and its friends …

junon 3 days ago||

Anecdotally throughout all this, contacting npm got me a response from githubsupport.com. I had to double check if that was even real.

tempodox 3 days ago||

Stuff like this is why I stay away from everything that touches NPM, but I guess not everyone has the freedom to make that decision.

binarymax 4 days ago||

There's only one thing that would throw me off this email and that is DMARC. But I didn't get the email, so who is to say if I actually would have been caught.

vel0city 4 days ago||

This was a domain "legitimately" owned by the adversary. They controlled that DNS. They could set any SPF or DKIM records they wanted. This email probably passed all DMARC checks. From some screenshots, the email client even has a green check probably because it did pass DMARC.

junon 4 days ago||

    Authentication-Results: aspmx1.migadu.com;
        dkim=pass header.d=smtp.mailtrap.live header.s=rwmt1 header.b=Wrv0sR0r;
        dkim=pass header.d=npmjs.help header.s=rwmt1 header.b=opuoQW+P;
        spf=pass (aspmx1.migadu.com: domain of ndr-cbbfcb00-8c4d-11f0-0040-f184d6629049@mt86.npmjs.help designates 45.158.83.7 as permitted sender) smtp.mailfrom=ndr-cbbfcb00-8c4d-11f0-0040-f184d6629049@mt86.npmjs.help;
        dmarc=pass (policy=none) header.from=npmjs.help

thrownaway561 3 days ago||

The is the main reason why if you ever get a password reset email you ALWAYS go to the site directly and NEVER through the link provided in the email.

keyle 3 days ago|

"saved by procrastination!" made me smile.

One of the common cases of being offline first, disconnected etc. pays off.

Don't rush. Work on Hawaiian clock!

More comments...