1. Buy expired NPM maintainer email domains.
2. Re-create maintainer emails
3. Take over packages
4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
5. Enjoy world domination.

I just noticed "foreach" on npm is controlled by a single maintainer.

I also noticed they let their personal email domain expire, so I bought it before someone else did.

I now control "foreach" on NPM, and the 36826 projects that depend on it.

@wolf480pl Preventing other people from using it is enough. That and using it as a chance to educate pepole on why thy can't trust NPM.

@technicallypossible @wolf480pl I don't recommend trusting me... or any single individual, with this kind of power.

If someone asks me nicely with a rubber hose, I will be obliged to hand over access.

There is a reason the name of my company is "Distrust"

Distrust should lead to Distributed Trust.

Demand multisig code reviews, and multisig reproducibly built releases for anything that matters.

Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!