|
|
|
|
|
|
by dboreham
290 days ago
|
|
|
OP entered their credentials and TOTP code, which the attacker proxied to the real npmjs.com FWIW npmjs does support FIDO2 including hard tokens like Yubikey. They do not force re-auth when issuing an access token with publish rights, which is probably how the attackers compromised the packages. iirc GitHub does force re-auth when you request an access token. |
|
|
I'm surprised by this. Yeah, GitHub definitely forces you to re-auth when accessing certain settings.