Researchers Hijack Popular NPM Package with Millions of Downloads

A popular npm package with more than 3.5 million weekly downloads has been found vulnerable to an account takeover attack.
"The package can be taken over by recovering an expired domain name for one of its maintainers and resetting the password," software supply chain security company Illustria said in a report.
While npm's security protections limit users to have only one active email address

account account takeover address attack domain domain name downloads email expired expired domain hijack maintainers name npm npm package package password popular report researchers security security protections software software supply chain software supply chain security supply supply chain supply chain security taken takeover vulnerable weekly