OP entered their credentials and TOTP code, which the attacker proxied to the re... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		dboreham 63 days ago \| parent \| context \| favorite \| on: NPM debug and chalk packages compromised OP entered their credentials and TOTP code, which the attacker proxied to the real npmjs.com FWIW npmjs does support FIDO2 including hard tokens like Yubikey. They do not force re-auth when issuing an access token with publish rights, which is probably how the attackers compromised the packages. iirc GitHub does force re-auth when you request an access token.

osa1 63 days ago [–]

> They do not force re-auth when issuing an access token with publish rights, which is probably how the attackers compromised the packages

I'm surprised by this. Yeah, GitHub definitely forces you to re-auth when accessing certain settings.

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact