Bookmark: "I’m harvesting credit card numbers and passwords from your site. Here’s how."

Sebastian Greger


A fictional story showcasing a smart (social engineering) exploit to use npm packages as a backdoor vector for malicious code.

On any page that collects any data that you don’t want me (or my fellow attackers) to have, don’t use npm modules. Or Google Tag Manager, or ad networks, or analytics, or any code that isn’t yours.

The author even illustrates how a CSP header will not fully prevent this kind of attack. In the end, it boils down to the summary of the article:

My goal (as it turns out) is simply to point out that any site that includes third party code is alarmingly vulnerable, in a completely undetectable way.

The recommendation would be to use sandboxed iframes with hand-crafted JS for any sensitive input pages.

I'm Sebastian, Sociologist and Interaction Designer. This journal is mostly about bringing toge­ther social science and design for inclusive, privacy-focused, and sustainable "human-first" digital strategies. I also tend to a "digital garden" with carefully curated resources.

My occasionally sent email newsletter has all of the above, and there is of course also an RSS feed or my Mastodon/Fediverse profile.