LLMs making phishing and supply chain attacks worse
A detailed post-mortem on a likely nation-state attack noted that LLMs have made phishing attempts look dramatically more legitimate. The thread on a failed attack included one commenter pointing out that malicious code embedded in job offers and business proposals has been a vector for a few years, but the LLM-polished social engineering layer is new and harder to flag on instinct alone.
The connection to the npm-scan supply chain security thread reinforces a broader security deterioration story. The attack surface for social engineering has widened because the quality floor for a convincing malicious interaction has dropped to nearly zero. One commenter noted the tell in the attack story was a specific phrase that 'real people don't talk like the J. Peterman catalog,' which is a thin defense.
The thread sentiment is worried but not panicked. People are sharing detection heuristics, which is useful but also highlights that there is no systematic solution being proposed.
So what?
Security review processes built around catching poorly-written phishing are now obsolete. Founders need to update their threat models to assume that any inbound communication asking for code access, credentials, or financial action could be well-written and well-researched. Verification by phone or in-person for any sensitive action is table stakes now.