“Supply Chain Attacks”, Lance R. Vick2022-05-09 ()⁠:

I just noticed foreach on npm is controlled by a single maintainer.

I also noticed they let their personal email domain expire, so I bought it before someone else did.

I now control foreach on NPM, and the 36,826 projects that depend on it.

  1. Buy expired NPM maintainer email domains.

  2. Re-create maintainer emails

  3. Take over packages

  4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed

  5. Enjoy world domination.

Supply Chain Attacks