GitHub Community
Replies: 1 comment
-
|
There is now a new attack: https://www.youtube.com/watch?v=69F9IuBWb-E Self-Replicating Worm Hits 180+ npm Packages to Steal Credentials in Latest Supply Chain Attack |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Select Topic Area
General
Body
Because of the recent Phishing attack against the chalk and debug packages, I suggest these ideas to improve the security of NPM packages. This is just an outline of the various ideas I have in my mind.
First, implement trust levels for packages and accounts.
Second, when user creates an account, provide them with a Security Guide about securing their account, and make them do a Quiz about that information.
Existing users who have not done the Quiz also must read the Security Guide and do the Quiz before using the account.
Security Guide talks about the following:
Never login from links send to email, except when user initiated that request such as email confirmation, password reset, etc.
Always try to use a password manager and include the original domain name in the password manager, so that the password manager only works on correct domains.
Use 2 factor authentication such as TOTP, which is a One Time Password. This makes it hard (but not impossible) for attackers to login using credentials acquired by phishing because TOTP only lasts for 30 seconds. Many password managers support TOTP. Also talk about other 2FA methods.
Do not use any referral links and advise users not to click on any referral links.
Only give Trusted status to accounts that have setup 2 factor authentication.
(This one maybe controversial.) Conduct an Official Security Phishing Attack (OSPA). Send occasional emails with login links to ALL developers. If they login from that link, suspend their account temporarily for a few days, so that they will become more vigilant about a Phishing attack.
Official Security Phishing Attack (OSPA)
If an Official Security Pishing Attack (OSPA) is succesfully conducted on a user, make the user do the following.
Make them do a quiz.
Show them a message about the various situations one might be more susceptible to a Phishing Attack. For example, when people are exhausted from work, etc.
Show examples of other attacks on NPM libraries such as chalk, debug, etc.
Tell them to login by going into the official site by typing the domain name or using Web Search. This is to prevent real hackers from sending a fake OSPA email and making them think that their account is actually suspended.
Also partner with other sites such as DevOps tool sites, to offer referral links to conduct OSPA, because email is not the only way Phishing attacks happen.
Beta Was this translation helpful? Give feedback.
All reactions