0-days

Two billion downloads per week. That’s the download totals for the NPM packages compromised in a supply-chain attack this week. Ninety-nine percent of the cloud depends on one of the packages, and one-in-ten cloud environments actually included malicious code as a result of the hack. Take a moment to ponder that. In a rough estimate, ten percent of the Internet was pwned by a single attack.

What extremely sophisticated technique was used to pull off such an attack? A convincing-looking phishing email sent from the newly registered npmjs.help domain. [qix] is the single developer of many of these packages, and in the midst of a stressful week, fell for the scam. We could refer to the obligatory XKCD 2347 here. It’s a significant problem with the NPM model that a single developer falling for a phishing email can expose the entire Internet to such risk. Continue reading “This Week In Security: NPM, Kerbroasting, And The Rest Of The Story” →

Hackaday

1 Articles

This Week In Security: NPM, Kerbroasting, And The Rest Of The Story

Search

Never miss a hack

If you missed it

On 3D Scanners And Giving Kinects A New Purpose In Life

The Hottest Spark Plugs Were Actually Radioactive

A Cut Above: Surgery In Space, Now And In The Future

Two Decades Of Hackaday In Words

Spy Tech: The NRO And Apollo 11

Our Columns

How Hydraulic Ram Pumps Push Water Uphill With No External Power Input

FLOSS Weekly Episode 849: Veilid: Be A Brick

Lost Techniques: Bond-out CPUs And In Circuit Emulation

2025 Hackaday Speakers, Round One! And Spoilers

Ask Hackaday: How Do You Distro Hop?

Search

Never miss a hack

Subscribe

If you missed it

Our Columns