Phishing for Dependencies (npm & pypi)
Phishing for Dependencies (npm & pypi)
Oct 3, 2025
Recent attacks against maintainers of popular open-source dependencies have shown than even seasoned developers are vulnerable to sophisticated phishing attacks. The only real defense is to use phishing-resistant MFA, like the Allthenticator.
The most notable things about these attacks against Chalk & Debug and other widely-used open-source dependencies is that they are targeting tech-savvy users that have MFA enabled.
It just goes to show that the only way to truly defend yourself is to use phishing-resistant authentication methods.
https://thehackernews.com/2025/07/pypi-warns-of-ongoing-phishing-campaign.html
https://thehackernews.com/2025/07/malware-injected-into-6-npm-packages.html
https://www.youtube.com/watch?v=fdUKJ-4y2zo
https://news.ycombinator.com/item?id=45169657
https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised