On March 30th, at 11:10pm ET, my laptop was compromised by a foreign actor. This was my work laptop. I was watching TV, and doing some small upgrades on projects, probably working when I shouldn't have been. Then the internet on my laptop stopped working.
I was tired, didn't think anything of it. Just technology being dumb. Took it as a sign to stop working.
Twenty minutes later, I was paged for an incident. Apparently my laptop stopping connecting to the internet was because it had tried to connect to a known compromised domain. Our two security tools: Crowdstrike and RedCanary, had detected it and isolated my machine. This incident was run without me as the team told me what was up, and started to investigate deeper.
Social media was already talking about it: Axios, one of the most popular NPM packages for Node.js, had been compromised. Over time, it came to be clear that I had installed axios@1.14.1 and pushed it to one of our in development projects. Thankfully everything auto-locked down. Nothing had been exfiltrated. No data breach. All machines that it touched were wiped and replaced. All credentials on all of those machines were rotated.
If this had been my personal machine, I wouldn't have been so lucky. And maybe that's why the timing lined up. There's lots of timelines about how sophisticated this attack was:
- How the developers were social engineered
- How the computers were compromised
- Who perpetrated the attack
- A full postmortem from the Axios team
And all I can think about is how lucky I was. At work, we have invested a ton in tooling and providers to catch this sort of thing. And it worked. I don't have this kind of infrastructure for my personal things. Nor do most people. Sure folks might have antivirus installed. But actors are getting more and more sophisticated, catching attacks if you're not on top of your game is getting harder and harder.
I am embarrassed that I got compromised. And I am mostly writing this to share that it's not your fault if you also get compromised. Yes you should be prepared. Yes you should lock your stuff down. But this happens. And we need to talk about it.1
/Nat
Footnotes
-
Lots of countries and laws actually require disclosure if production data is compromised (GDPR, Public Companies, and others). ↩