1. Buy expired NPM maintainer email domains.
2. Re-create maintainer emails
3. Take over packages
4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
5. Enjoy world domination.

I just noticed "foreach" on npm is controlled by a single maintainer.

I also noticed they let their personal email domain expire, so I bought it before someone else did.

I now control "foreach" on NPM, and the 36826 projects that depend on it.

@lrvick@mastodon.social foreach sounds like a package that you shouldnt need with Array.prototype.forEach :blobfoxthonking:

@Johann150 yes, that's true. It made it into ECMAScript 5.1

Now if you've for _some_ weird reason a system that requries some _older_ build target you get a polyfill.

That was provided by packages like this and should be helluvEOL nowadays. There are better suited and highly automated polyfills.

Anyway, the issue is very real. This happened before and will happen again.

It's also the very same for most language depending package managers out there and this is why version pinning is a thing.

So it could happen to PyPI (Python), RubyGems (Ruby), Crates (Rust), … too :-(


@RyunoKi …and browser extensions and game mods. Heck, whatever allows to regain access to an account via mail basically.

No 2FA on your Google Dev account? Too bad 🙃

@RyunoKi Google boo whatever. Try releasing a Chrome extension without :P

(Or an Android app).


Why would I want to write for Chrome?
That doesn't help Firefox at all.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!