We all dodged a bullet

Posted by WhyNotHugo 9/9/2025

Related: NPM debug and chalk packages compromised - https://news.ycombinator.com/item?id=45169657

830 points | 484 commentspage 5

frabjoused 9/9/2025|

I wrote the first commit for slice-ansi in 2015 to solve a baby problem for a cli framework I was building, and worked with Qix a little on the chalk org after it. It's wild looking back and seeing how these things creep in influence over time.

junon 9/10/2025|

Didn't expect things to grow how they have, that's for sure! Hope you've been well :)

frabjoused 9/22/2025||

Good to hear from you man, you too :)

mrbluecoat 9/9/2025||

Does the Go ecosystem have a similar security screening process as NPM? This was caught because a company was monitoring a centralized packaging distribution platform, but I worry about all those golang modules spread across GitHub without oversight..

quectophoton 9/9/2025|

This page has a short explanation of the default way in which Go downloads modules, with links for more details: https://sum.golang.org/

mrbluecoat 9/10/2025||

Thanks. It took a little more digging from that link but I eventually found https://go.dev/doc/security/vuln/#vulnerability-detection-fo...

quectophoton 9/10/2025||

Right, my bad, seems like I misunderstood the question. Glad you could still find an answer.

For more context on why I thought that link would have been helpful: In Go you download dependencies "straight" from the source[1], while in npm and other languages you download dependencies from a completely unrelated registry that can have any random code (i.e. whether the published artifact was built from the alleged source repository, is a flip of a coin).

So not having this kind of third party registry eliminates the point of failure that caused the issue commented in the article. The issue was caught because of a centralized place, yes, but it was also caused because npm dependencies are downloaded from a centralized place and because this centralized place only hosts artifacts unrelated to the source code itself; package authors can `npm publish` artifacts containing the exact source code from their repos if they want though. If.

With Go, having a mirror of the source code is still third party infra, but is more an optimization than anything else, and checksums are generated based on the source itself[2] (rather than any unrelated artifact). This checksum should match even for people not using any proxy, so if you serve different code to someone, there will be a mismatch between the checksum of the downloaded module and the checksum from the SumDB. This should catch force-pushes done to a git repository version tag, for example.

Also, Go downloads the minimum version that satisfies packages, so it's less likely that you'll download a (semver) "patch" release that someone pushed hours ago.

All this makes me both like and dislike how Go handles dependencies.

[1]: Well, from a mirror, unless you set `GOPROXY=direct`. Reasoning explained in next paragraph.

[2]: The checksum is calculated from a zip file, but it is generated in a deterministic way, and this checksum is also generated and validated locally when you download dependencies. More info at https://go.dev/ref/mod#zip-files and https://go.dev/ref/mod#go-mod-verify

YeGoblynQueenne 9/10/2025||

>> It sets a deadline a few days in the future. This creates a sense of urgency, and when you combine urgency with being rushed by life, you are much more likely to fall for the phishing link.

Procrastination is a security strategy.

kitd 9/10/2025|

When we do the phishing awareness training at $WORK, we are told any sense of urgency is suspicious, especially from an established org. Most would give you at least a month before something as draconian as locking your account.

leoc 9/9/2025||

> Even then, that wouldn't really stand out to me because I've seen companies use new generic top level domains to separate out things like the blog at .blog or the docs at .guide, not to mention the .new stack.

This is very much a 'can we please not' situation, isn't it? (Obviously it's not something that the email recipients can (usually) control, so it's not a criticism of them.) It also has to meaningfully increase the chance that someone will eventually forget to renew a domain, too.

NoahZuniga 9/9/2025||

Facebook sends legit account secuirty emails from facebookmail.com. Horrible.

leoc 9/9/2025||

For a company that is otherwise quite serious about security nowadays, MS seems to be the champion of this. Say hello to live.com and its friends …

junon 9/10/2025||

Anecdotally throughout all this, contacting npm got me a response from githubsupport.com. I had to double check if that was even real.

amradio1989 9/9/2025||

Great write up. I can understand the indignation at the exploit, but I believe it’s an A+ exploit for the chosen attack vector.

Not only is it “proof of concept” but it’s a low risk high reward play. It’s brilliant really. Dangerously so.

m463 9/9/2025||

Would recommend less click-baity: "NPM attack - we all dodged a bullet"

binarymax 9/9/2025||

There's only one thing that would throw me off this email and that is DMARC. But I didn't get the email, so who is to say if I actually would have been caught.

vel0city 9/9/2025||

This was a domain "legitimately" owned by the adversary. They controlled that DNS. They could set any SPF or DKIM records they wanted. This email probably passed all DMARC checks. From some screenshots, the email client even has a green check probably because it did pass DMARC.

junon 9/9/2025||

    Authentication-Results: aspmx1.migadu.com;
        dkim=pass header.d=smtp.mailtrap.live header.s=rwmt1 header.b=Wrv0sR0r;
        dkim=pass header.d=npmjs.help header.s=rwmt1 header.b=opuoQW+P;
        spf=pass (aspmx1.migadu.com: domain of ndr-cbbfcb00-8c4d-11f0-0040-f184d6629049@mt86.npmjs.help designates 45.158.83.7 as permitted sender) smtp.mailfrom=ndr-cbbfcb00-8c4d-11f0-0040-f184d6629049@mt86.npmjs.help;
        dmarc=pass (policy=none) header.from=npmjs.help

ChrisArchitect 9/9/2025||

NPM debug and chalk packages compromised

https://news.ycombinator.com/item?id=45169657

thrownaway561 9/9/2025||

The is the main reason why if you ever get a password reset email you ALWAYS go to the site directly and NEVER through the link provided in the email.

tempodox 9/10/2025|

Stuff like this is why I stay away from everything that touches NPM, but I guess not everyone has the freedom to make that decision.

More comments...