Yeah, NPM should be enforcing 2FA and likely phishing resistant 2FA for some packages/ this should be a real control, issuing public audit events for email address changes, and publish events should include information how it was published (trusted publishing, manual publish, etc).
replyInstead they took away TOTP as a factor.
replyScaling security with the popularity of a repo does seem like a good idea.
Are there downsides to doing this? This was my first thought - though I also recognize that first thoughts are often naive.
replyYou don't want "project had X users so it's less safe" to suddenly transition into "now this software has X*10 users so it has to change things", it's disruptive.
replyTOTP although venerable was better than no second factor at all.
replyTOTP isn't phishing resistant
replyNo it's not but it's better than nothing. Don't let the perfect be the enemy of the good.
replyTOTP seems effectively useless for npm so that seems fine to me
replyWell, that sucks! It’ll be interesting to learn how they obtained a valid second factor or 2FA bypass; that will inform the next round of defenses here.
replyOne wonders if Microsoft/npm.js should allow new packages to be published immediately following an account email address change? I mean changes to email address are already recognized as potential attack vectors, so emails are sent to the old address warning of potential account take over. But this seems to have been done at night, so the warning email would not be seen yet. Even so a new package could be published and served to the world immediately. Unless I misunderstand something about the facts this would indicate an extreme lack of imagination in the people at Microsoft who already went through several cycles of hardening the service against supply chain poisoning attacks.
reply