1. Buy expired NPM maintainer email domains.
2. Re-create maintainer emails
3. Take over packages
4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
5. Enjoy world domination.

I just noticed "foreach" on npm is controlled by a single maintainer.

I also noticed they let their personal email domain expire, so I bought it before someone else did.

I now control "foreach" on NPM, and the 36826 projects that depend on it.

@MylesBorins@twitter.com noted owner emails don't always match account emails which can offer limited mitigation. Social engineering to account support with an owner email is plan b.

Thankfully better MFA started rolling out today.

Now we just need code signing.



Additional context on this thread was published in this article on
@TheRegister@twitter.com including past efforts with my friend @JohnNaulty@twitter.com trying to call attention to NPM and Github supply chain security issues.


· · Web · 1 · 1 · 2

Just had a great chat with
@MylesBorins@twitter.com on @npmjs security.

They are actively implementing account takeover defenses and there is at least some interest in bigger picture solutions like signing and web of trust.

I'll try to work with them vs against them moving forward.


Even if an org has been dismissive of security problems historically, reach out again before putting them on blast.

Leadership and goals of companies can change so it is good to keep a jar of second chances handy.

Last update before I ignore social media for a few months again so I can resume being productive.

I contacted the foreach maintainer to close other account takeover vectors I didn't make public, and am returning their domain.

Maintainers: WebAuthn and sign all the things.

Sign in to participate in the conversation

The original server operated by the Mastodon gGmbH non-profit