1. Buy expired NPM maintainer email domains.
2. Re-create maintainer emails
3. Take over packages
4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
5. Enjoy world domination.
I just noticed "foreach" on npm is controlled by a single maintainer.
I also noticed they let their personal email domain expire, so I bought it before someone else did.
I now control "foreach" on NPM, and the 36826 projects that depend on it.
@lrvick what do you plan to do with such power?
@wolf480pl Preventing other people from using it is enough. That and using it as a chance to educate pepole on why thy can't trust NPM.
@lrvick can we trust you more than we can trust npm?
@wolf480pl
@technicallypossible @wolf480pl I don't recommend trusting me... or any single individual, with this kind of power.
If someone asks me nicely with a rubber hose, I will be obliged to hand over access.
There is a reason the name of my company is "Distrust"
Distrust should lead to Distributed Trust.
Demand multisig code reviews, and multisig reproducibly built releases for anything that matters.
@wolf480pl @lrvick @technicallypossible 👆 Ouranium