Techly NewsGet the app

Get the latest tech news

This 2FA phishing scam pwned a developer - and endangered billions of npm downloads


'Stay vigilant.' Other maintainers have been targeted, too.

The email in question claimed to be a security notice, warning users that unless they updated their two-factor authentication (2FA) credentials, their accounts would be temporarily locked starting Sept.10. Josh Junon via Imgur Aikido Security researchers published a blog post outlining the incident, in which malicious updates were added to npm packages and pushed Monday at around 13:16 UTC. "The packages were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user," the researchers said.

Get the Android app

Or read this on ZDNet

Read more on:

Photo of developer

developer

Photo of billions

billions

Photo of Phishing scam

Phishing scam

Related news:

News photo

Ex-WhatsApp cybersecurity head says Meta endangered billions of users

News photo

Detroit's Carmakers to Save Billions in Emissions Rollback

News photo

Rhode Island and Connecticut sue over Trump administration’s wind farm halt | States claim Revolution Wind project was stopped illegally, threatening jobs, clean energy and billions in investments

« Blink just raised its subscription price - but you get 2 new features in return (and you can lock in your current price for three years)
Geothermal is too expensive, but Dig Energy’s impossibly small drill rig might fix that »