A lesson from NPM hacks: It’s time to remove the human factor from authentication factors
As the JavaScript ecosystem is still recovering from the massive supply chain attacks targeting NPM software packages, one thing is clear — you need phishing-resistant authentication now, urges Johannes B. Ullrich, Ph.D., Dean of Research at SANS.edu.
On September 8th, eighteen very popular NPM packages with over 2 billion weekly downloads were updated with malicious code, including crypto drainer, in what was called the largest supply chain attack in history.
NPM is the main JavaScript software registry used by developers to build web, mobile, enterprise, and other apps. Fortunately, the compromise was detected in time to protect users from major losses, and criminals managed to steal only around $1,100 in four days.
The maintainer of these packages, Josh Junon, received a very convincing email from support@npmjs[.]help, alerting the user to reset credentials, and fell for it.
The crooks used [.]help top-level domain, while the original NPM registry uses [.]com.
Lessons learned?
Just more than a week later, another massive automated compromise infects over 500 NPM packages containing widely used libraries, such as tinycolor. What made this compromise even worse was an automated self-propagating mechanism: stealing access tokens and using them to hijack even more repositories.
This year, these supply chain compromises weren’t the only high-profile attacks targeting NPM developers — there has been a constant onslaught.
Therefore, security researchers think we need to remove the human factor from the multiple factors of authentication.
“All it took for the NPM phish to succeed was a well-written email and a convincing landing page,” Ulrich ponders in a blog post. “Even technically sophisticated and aware users are falling for phishing lures.”
Once the npmjs[.help campaign ended, hackers seemingly attempted to repeat the scheme with another fraudulent website, npmjs[.]cam, using the top-level domain .cam instead of .com. This malicious site is no longer reachable.
Phishing was also the main way in for Scattered Spider attackers, who compromised many major tech companies recently.
“They didn't utilize 0-day exploits. They didn’t utilize novel and ‘undetectable’ malware. They didn’t exploit N-days or try to find vulnerable external-facing machines. All they did was call the help desk. That's it. That's literally it,” malware researchers from vx-underground noted in a post on X.
The craziest thing about the entire Scattered Spider trilogy is how simple they operated and how effective it was
undefined vx-underground (@vxunderground) September 19, 2025
They didn't utilize 0day exploits. They didn't utilize novel and undefinedundetectableundefined malware. They didn't exploit N-days or try to find vulnerable external facing…
If human action is required for authentication, it’s not phishing-resistant
Ulrich argues that it’s time to stop blaming the user and instead get working on phishing-resistant authentication methods, such as passkeys.
“Anybody will fall for phishing if a well-targeted e-mail is used,” Ulrich said. “If even experienced developers fall for these tricks, how do we protect people like HR, or worse, our sales team? More click-through security awareness training? Instructing them 'not to click on links'? Or... triple-factor authentication?”
Cybernews previously reported on a recent study demonstrating that cybersecurity training had almost no effect on the likelihood of falling victim to phishing.
Yet another large-scale field study of 12,511 employees about the effectiveness of phishing awareness training has found that “neither lecture-based nor interactive training produced statistically significant improvements in click rates.”
“The real solution lies in how we authenticate, and it is not about multiple factors,” Ullrich suggests.
Why does multi-factor authentication fail? Part or all of the credentials may be compromised. Phishers use pixel-perfect clones of websites to lure victims into entering their credentials, granting access to attackers. Users are often unable to identify look-alike domains. Phishing kits, such as Evilginx, place login credential thieves in the middle, intercepting and manipulating any user traffic.
“The only way to protect from tools like this is to not have the user in charge of selecting the right credentials. Any authentication mechanism that requires the user to make a decision as to what credential to use for a particular website is not fundamentally phishing-resistant,” the researcher said.
According to Ullrich, passkeys are a much better phishing-resistant authentication method because they are selected automatically based on the origin of the site the user attempts to log in to.
“It is not possible for the user to select different credentials, ensuring phishing safety. TLS client certificates could work as well, but are technically more complex to properly implement and, as a result, not practical for most public sites.”
The researcher also quotes the NIST Digital Identity Guidelines (Special Publication 800-63B):
“Authenticators that involve the manual entry of an authenticator output (e.g., out-of-band and OTP authenticators) SHALL NOT be considered phishing-resistant because the manual entry does not bind the authenticator output to the specific session being authenticated.”
This also means that currently popular authentication methods, including Microsoft’s authenticator-based MFA, are not phishing-resistant.
“You need phishing-resistant authentication NOW,” Ullrich urges in his blog post.
Unlock more exclusive Cybernews content on YouTube.
