After brief investigation of the top 1,000 downloaded NPM Packages, we found that a number of the package maintainers accounts have insufficient protection against basic account takeover methods. This could affect a number of downstream projects, some of which help host basic and foundational infrastructure in modern, digital society. In the tech world, we stand upon the shoulders of giants. If those giants have weak security authenticating their identities, they may crumble.
Reflections on the 36th Chaos Communication Congress