We All Dodged a Bullet

Summary

We all dodged a bullet Published on 2025-09-09, 971 words, 4 minutes to read That NPM attack could have been so much worse. CadeyThis post and its online comment sections are blame-free zones. We are not blaming anyone for clicking on the phishing link. If you were targeted with such a phishing attack, you'd fall for it too and it's a matter of when not if. Anyone who claims they wouldn't is wrong.This is also a bit of a rant. Yesterday one of the biggest package ecosystems had very popular packages get compromised. We're talking functionality like: Formatting text with colors for use in the terminal A list of common color names and their RGB values A decorator for functions so you can debug their inputs/outputs as they are run A utility function that determines if its argument can be used like an array These kinds of dependencies are everywhere and nobody would even think that they could be harmful. Getting code into these packages means that it's almost guaranteed a free path to production deployments. If an open proxy server (a-la Bright Data or other botnets that the credit card network tolerates for some reason), API key stealer, or worse was sent through this chain of extreme luck on the attacker's part, then this would be a completely different story. We all dodged a massive bullet because all the malware did was modify the destination addresses of cryptocurrency payments mediated via online wallets like MetaMask. As someone adjacent to the online security community, I have a sick sense of appreciation for this attack. This was a really good attack. It started with a phishing email that I'd probably fall for if it struck at the right time: This is frankly a really good phishing email. Breaking it down: It greets the user personally with their NPM username. This makes it look personalized, so people are more likely to trust it. People are used to the idea of changing passwords for security. With that in mind, at a glance the idea of changing your two-factor au...