I always enjoy reading these. There’s a lot to learn, both about your own security practices, and about the integrity of the attacked packages in how they respond.
I also wanted to cross post to ~security, but it seems that territory is no longer active
So according to all the experts, the issue is 2-hour 2fa sessions? Makes sense, looking at the timeline. But then, it doesn't make sense to recommend having GH as a secure platform instead - its 2fa sessions are 28 days. (not to mention, PATs don't get 2fa challenges)
Main root cause - using GitHub...lol
Good post mortem share. Supply chain attacks on npm packages are the gift that keeps giving for attackers because the trust model is backwards. You trust the package, then the package trusts its maintainer, then the maintainer trusts their credential storage. One compromised token and the whole chain falls.
What gets me about these is the detection lag. The malicious code was in production for how long before anyone noticed? That's the real story. Not the attack itself but the gap between compromise and discovery.
The defense stack is slowly getting better - lockfiles, provenance attestations, Sigstore signatures - but it's all opt-in. Until package managers make verified builds the default instead of the exception, we're playing whack-a-mole with compromised maintainer accounts.
Curious if anyone here has actually switched to auditing their dependency updates manually. I tried it for a week and gave up. The volume is insane.
https://stackfeed.org/article/medium-the-package-that-stole-your-secrets-inside-the-axios-npm-attack