In my experience the majority of hacks are from a compromised laptop of a production engineer. Everyone blindly NPM installs away all their problems and no one checks signatures anymore. Most are using package managers like Brew that don't sign anything to begin with.
At Distrust, my security consulting firm, we train all our clients to build production systems that require a minimum of two engineers to mutate and that only pristine operating systems access production that have only signed reproducible used packages that have never been used for anything else.
Production environments need to be managed like careful methodical clean-room labs with strict accountability. Instead they are managed like collaborative art projects where everyone is trusted and nothing bad can happen.
In this case, the anonymous source says that Plex server was compromised, so I assume it was a developer's home PC, not a work laptop.
The breach was preceded a couple of days by Plex corporate breach which devulged the engineer's credentials and home IP address.
This would have allowed the attackers to access Plex sever remotely, after which the source claims they used an RCE to install a keylogger (and probably a back door) on the engineer's PC.
The concerning part is that according to Plex devs (in their reddit sub), they have NO KNOWLEDGE of any RCE. They also haven't communicated with Lastpass, and no one reached out to them.
So if there's a Plex remote code exploit - it is still unpatched and actively being exploited - 8 months later!
Given that there is still no information on this Plex RCE, we should not assume that it requires authentication to function. So if you're using Plex, make sure to turn off public accessibility asap!
If you don't need remote access to your plex, you should disable it. The cache features are pretty good, so you could download media while at home and have it on a device in the car or at work pretty easily.
I think it's pretty dubious that they could pin it on a plex media server breach though. This is from the same company that sells logmein and goto; I haven't heard definitively that those pieces of software weren't installed on there.. Unless this machine was used for Plex and the occasional log in to work from home type thing, I doubt you could do the forensics on it with much reliability unless you got to it within days of the attack. If this is a normal devops guy? He's got 3 different chat apps, probably Steam, who knows what pirated crap is on there... Plex seems like a very convenient target; the plex corporate attack seems very very plausible as giving the attacker information though.
At Distrust, my security consulting firm, we train all our clients to build production systems that require a minimum of two engineers to mutate and that only pristine operating systems access production that have only signed reproducible used packages that have never been used for anything else.
Production environments need to be managed like careful methodical clean-room labs with strict accountability. Instead they are managed like collaborative art projects where everyone is trusted and nothing bad can happen.