World domination (how-to)
-
- Buy expired NPM maintainer email domains.
- Re-create maintainer emails
- Take over packages
- Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
- Enjoy world domination.
I just noticed "foreach" on npm is controlled by a single maintainer.
I also noticed they let their personal email domain expire, so I bought it before someone else did.
I now control "foreach" on NPM, and the 36826 projects that depend on it.
Fällt mir eigentlich nur dieses xkcd zu ein:
-
npm kann jetzt endlich auch webauth ("passwordless" auth)
https://github.blog/2022-05-10-enhanced-2fa-experience-for-your-npm-account/ (müssen die maintainer aber natürlich selber aktivieren, für verwaiste Accounts ist das also leider keine Hilfe...)
