Remember kids, use your special autistic tendencies for good, not to be creepy.

digish0 boosted

I just noticed "foreach" on npm is controlled by a single maintainer.

I also noticed they let their personal email domain expire, so I bought it before someone else did.

I now control "foreach" on NPM, and the 36826 projects that depend on it.

Show thread
digish0 boosted

1. Buy expired NPM maintainer email domains.
2. Re-create maintainer emails
3. Take over packages
4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
5. Enjoy world domination.

GRR server up and running but it's not using fleetspeak by default...

Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.