NEWS
World domination (how-to)
-
@lrvick at mastodon.social :point_left:
- Buy expired NPM maintainer email domains.
- Re-create maintainer emails
- Take over packages
- Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
- Enjoy world domination.
:thinking_face:
@lrvick at mastodon.social :elephant:
I just noticed "foreach" on npm is controlled by a single maintainer.
I also noticed they let their personal email domain expire, so I bought it before someone else did.
I now control "foreach" on NPM, and the 36826 projects that depend on it.
:boom:
Fällt mir eigentlich nur dieses xkcd zu ein:

-
@lrvick at mastodon.social :point_left:
- Buy expired NPM maintainer email domains.
- Re-create maintainer emails
- Take over packages
- Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
- Enjoy world domination.
:thinking_face:
@lrvick at mastodon.social :elephant:
I just noticed "foreach" on npm is controlled by a single maintainer.
I also noticed they let their personal email domain expire, so I bought it before someone else did.
I now control "foreach" on NPM, and the 36826 projects that depend on it.
:boom:
Fällt mir eigentlich nur dieses xkcd zu ein:

npm kann jetzt endlich auch webauth ("passwordless" auth) :point_right: https://github.blog/2022-05-10-enhanced-2fa-experience-for-your-npm-account/ (müssen die maintainer aber natürlich selber aktivieren, für verwaiste Accounts ist das also leider keine Hilfe...)