Phishing attempts are usually low-effort and easily seen through, npmjs.help one was good though.

> Why does it seem like phishing is popular again?

Was it ever not popular? Looking at my spam box, I receive countless of phishing attempts per week, and doing some quick queries of the total count over time, it seems to more or less been the same for the last 2-3 years at the very least.

I'm not sure why it's such big news all of a sudden, probably because it recently succeeded against a developer of some popular npm packages?

I think most people either have the phishing emails flagged, so they never see them. The ones that get seen, get ignored as obvious phishing. And for the ones that click the link, their password manager would stop them from entering their detail. And then you have the final 0.0001% who never protected themselves, and were tired/stressed at that very moment, and fell for it.

So I guess ultimately it's bound to become news every now and then, until everyone finally got the memo to get a proper password manager that don't show accounts that don't belong to the domain.

From my perspective, adjacent to front-line end user IT support in a lot of the work I do, phishing has never not been popular in the last couple decades.

It feels like it has become significantly more prevalent in the last couple years (tracking the rise of "business email compromise" being a term-of-art).

When you grab a domain which is plausibly very similar to the legit domain the organization you work with is using, you can forge emails that will make your email client show all sorts of “verification passed” badges next to them.

You can further appeal to developers’ geeky hearts by not making language mistakes and actually using verbiage present in real emails as sent by them.

You can exploit recent supply chain attacks and the sense of urgency and panic that developer blogs have created by pressing for even more urgency.

Seems like this does work. Don’t worry, when they actually target you, you’ll be caught.

I experience and wonder the same thing, but literally yesterday I had to help my grandmother recover from a phishing scam that actually (very nearly) worked on her. So there you go.

The worst (or best, I suppose) thing about phishing is that it automatically filters in the fools for you.

People realized that past phishing attempts were quite badly constructed and a well constructed one is actually really easy to fall for.

A little thing that doesn't help the situation is when legitimate emails link you to domains that aren't obviously controlled by the company.

For example, yesterday at work I got an onboarding email from Lattice (lattice.com) with a link to latticehq.com, which triggered my phishing instincts before I remembered that was their old domain.

Pure speculation - but I'm wondering if one or a few of the black hat players has figured out a good way to leverage AI to phish more effectively at scale, and are taking a stab at all the venues that host code that's within a lot of dependency chains.

It never became unpopular. It's one of, if not the, leading cause of compromise.

I can't imagine that the absurd number of greenhorns entering the industry due to their "vibecoding prowess", or the inevitable number of people in management that perpetuate this fantasy of nocoder devs has anything to do with it. Surely not.

One of the worst, my SO approved "notifications" on some website.. and was getting viral alert notifications via that system. It looks like a typical tray notification in windows, and other than it's got a chrome header, it would be pretty easy to fall for. And this is why, before they passed, one of my Grandmothers was on Linux, and my other was on a Chromebook... no cleaning off random Windows malware twice a year.

Being asked to login via an “internal login page” is a huge, bright red flag. It doesn’t matter what the reasoning is, if it’s not the same domain or an SSO integration that is well known to both you and the vendor then you shouldn’t be using it. This is security 101 type stuff.

I've grown old enough to ignore sense of urgency when coupled with authentication.

That e-mail does not pass my sniff test.

My bluesky post was the one quoted in the OP.

I do think it was a decent attempt. A phishing attempt making it past gmail's spam filter is somewhat rare for me. Certainly less than weekly. And something this targeted is definitely a ~yearly occurrence (or less).

The major tip-offs for me were:

1. It was weird to be getting this from the Rust Foundation. The phishers likely don't understand Rust's governance structure. It's a common misconception shared by outsiders.

2. If a security incident like this would have occurred, there would have 100% been some kind of public communication about it on the rust-lang.org domain. I get notified whenever there's a new post there. So I knew this wasn't referencing a real event.

3. I also knew that crates.io doesn't manage authentication. It farms that out to GitHub. So the crates.io people wouldn't be communicating to me about my GitHub credentials being compromised. It didn't make sense.

And then finally, the URL is funny.

The somewhat scary part here though is that all of my points above come from being pretty dialed into the Rust organization and how things actually work.

But yeah, as a general rule of thumb, I always question any email asking me to log into something that wasn't just activated by me (like a "forgot my password" flow or something).

Finally, when I worked at Salesforce, the IT team there would occasionally send out fake phishing emails and ask you to report them to the team. I never fell for one, but I assume if I had, I would have been notified about it. I thought it was a very effective campaign because it always kept me on my toes.

Sage advice

Definitely. I get scammers calling me from a caller id that claims to be my bank asking about suspicious charges, and they know my name and have my account info, but they ask for my full credit card number to "verify" it. Yet, they give different suspicious charges every time you ask.

The worst part is that when I call the bank to see if its legit, they are much less pleasant to deal with than the scammers...

> If your bank calls you, hang up and log in or call their support number yourself.

And don't trust the number you see on Google. Google is known to show scammers' phone numbers in featured snippets or in their new "AI Mode". Click on the link and make sure it's the correct site before trusting the number.

Always good advice for anything. A variation of this is that you should also not answer the negative: that you definitely did not do something, if someone asks you that on a phone call. This is meant to spread harm to others.

I was speaking to a pharmacist yesterday. Apparently certain pharmacy insurance companies in the US have set up call centers that randomly call people and ask.

"We are from the fraud check department. Did you ask for receiving XYZ medication that your insurance paid $$$$$$ for?". The guy who does who's salary is an order of magnitude smaller, immediately panics and denies he ever asked for XYZ, even though they are obviously taking the medication. The purpose is of-course for pharmacy insurance companies to challenge/deny claims for on ALL XYZ orders the pharmacy made.

Of course checking insurance payouts is a hassle so most people reach for panic first and shortly thereafter denial.

The spammy calls I've gotten lately are for "tax help from the IRS" ... I really feel there's a special place in hell for people that do that.

Let's say someone falls for this.

What happens next, when they become the business account secondary user?

This kind of incompetence should result in PayPal loosing its banking permits in the EU. This is unacceptable and there is no way for an average person to identify the fraud and that is PayPal's fault.

There should be no way to send custom text from Paypal to a stranger. They don't even parse out phone numbers!

Wow, thats pretty bad. Reminds me of the old Paypal Invoice scams where scammers would upload the paypal logo as the invoice logo (which appears top left) and essentially “bill” the user. The scammer the adds inside the invoice note a paragraph explaining “Your money is being held due to currency exchange issues”, which gives basic reason to the “monetary deduction”. It got me as a kid, was quite slick for the time. Thought these scam-methods would be at least flagged these days before going out.

Yeah, npm has orders of magnitude more users than crates.io. This attack's success, or lack thereof, has no bearing on the savviness of JavaScript or Rust developers.