1. Buy expired NPM maintainer email domains.
2. Re-create maintainer emails
3. Take over packages
4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
5. Enjoy world domination.

I just noticed "foreach" on npm is controlled by a single maintainer.

I also noticed they let their personal email domain expire, so I bought it before someone else did.

I now control "foreach" on NPM, and the 36826 projects that depend on it.

@lrvick@mastodon.social foreach sounds like a package that you shouldnt need with Array.prototype.forEach :blobfoxthonking:

@Johann150 yes, that's true. It made it into ECMAScript 5.1

Now if you've for _some_ weird reason a system that requries some _older_ build target you get a polyfill.

That was provided by packages like this and should be helluvEOL nowadays. There are better suited and highly automated polyfills.

Anyway, the issue is very real. This happened before and will happen again.

It's also the very same for most language depending package managers out there and this is why version pinning is a thing.

So it could happen to PyPI (Python), RubyGems (Ruby), Crates (Rust), … too :-(


That's a different attack vector.

The above is turning a benevolent package into a malicious one while there is seemingly no change in authorship (same email address)

Sign in to participate in the conversation
Layer8 in Space

Welcome to the 8th Layer of Madness

Most topics are related to Linux, Anime, Music, Software and maaaany more