0-days

Two billion downloads per week. That’s the download totals for the NPM packages compromised in a supply-chain attack this week. Ninety-nine percent of the cloud depends on one of the packages, and one-in-ten cloud environments actually included malicious code as a result of the hack. Take a moment to ponder that. In a rough estimate, ten percent of the Internet was pwned by a single attack.

What extremely sophisticated technique was used to pull off such an attack? A convincing-looking phishing email sent from the newly registered npmjs.help domain. [qix] is the single developer of many of these packages, and in the midst of a stressful week, fell for the scam. We could refer to the obligatory XKCD 2347 here. It’s a significant problem with the NPM model that a single developer falling for a phishing email can expose the entire Internet to such risk. Continue reading “This Week In Security: NPM, Kerbroasting, And The Rest Of The Story” →

Hackaday

1 Articles

This Week In Security: NPM, Kerbroasting, And The Rest Of The Story

Search

Never miss a hack

If you missed it

What Happened To Running What You Wanted On Your Own Machine?

Ore Formation: Return Of The Revenge Of The Fluids

Word Processing: Heavy Metal Style

A Tale Of Two Car Design Philosophies

Rubik’s WOWCube: What Really Makes A Toy?

Our Columns

FLOSS Weekly Episode 852: Sir, This Is A Wendy’s

2025 Hackaday Supercon: Two New Workshops, Costume Party, Lightning Talks, And A New-Space Panel

Ask Hackaday: When Good Lithium Batteries Go Bad

Hackaday Links: October 19, 2025

Precision, Imprecision, Intellectual Honesty, And Little Green Men

Search

Never miss a hack

Subscribe

If you missed it

Our Columns