It appears the individual was unable to distinguish a display name from the actual email address (common phishing tactic of having something like admin@company.org as the email display name while the actual email address is a random throwaway). [1]
Good reminder to use a password manager as well (as it would also catch the 'npnjs' typo squatted domain too).
Similar incident happened to the HIBP guy who mentioned ignoring the password manager safeguards due to being half asleep while on the plane.
Also keep in mind you can disable install scripts in npm from running (if you happen to not do your development in an isolated environment) via configuring your .npmrc with
One thing Npm should implement (at least for popular packages) is deny publishing new versions that don't have provenance [1] if the previous versions had it. This would have stopped this attack.
I feel like this is a really big deal, eslint and prettier are a must-have for any js/ts project, imo. Many developers could be affected (and probably were). Which will lead to even more supply chain attacks down the line...
9 comments
[ 3.3 ms ] story [ 31.2 ms ] threadit looks like installing a dll so maybe it's windows only?
https://github.com/prettier/eslint-config-prettier/issues/33...
Good reminder to use a password manager as well (as it would also catch the 'npnjs' typo squatted domain too).
Similar incident happened to the HIBP guy who mentioned ignoring the password manager safeguards due to being half asleep while on the plane.
Also keep in mind you can disable install scripts in npm from running (if you happen to not do your development in an isolated environment) via configuring your .npmrc with
> ignore-scripts=true
Stay safe out there
1: https://x.com/JounQin/status/1946297662069993690
[1] https://docs.npmjs.com/generating-provenance-statements
It's the primary way suggested to integrate the two https://prettier.io/docs/integrating-with-linters