1. Buy expired NPM maintainer email domains.
2. Re-create maintainer emails
3. Take over packages
4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
5. Enjoy world domination.

I just noticed "foreach" on npm is controlled by a single maintainer.

I also noticed they let their personal email domain expire, so I bought it before someone else did.

I now control "foreach" on NPM, and the 36826 projects that depend on it.

@lrvick It seems that the (in)famous is-equal has a developer dependency to it 😁

· · Web · 0 · 0 · 0
Sign in to participate in the conversation
Mastodon.green

Mastodon.green is a community for anyone living in the European Union