“Stepping back from the particular attack, it yet again demonstrates that phishing, if done right, can successfully target even technically more competent employees like developers,” Ullrich said. “CISOs must insist on implementing phishing-resistant authentication wherever possible.”
Robert Beggs, head of Canadian incident response firm Digital Defence, added that the attack is a call to ensure that GitHub instances have been hardened (removal of unnecessary applications, verification of deploy keys for all projects, GitHub Secret Scanning alerts turned on) and that monitoring is in place.
He said it also reinforces the usefulness of records such as those in a software bill of materials. “Organizations have to ensure that they are prepared to respond to future attacks, which will no doubt be more complex than the npm attack,” he said.
