The email addresses of all users on npm are allegedly publicly available. The email addresses are returned by requesting a profile page.
the first step is to get the registered email address of the account:
purchase the expired domain name:
After taking over the email address of the account through the domain name, try to reset the password.
This step encountered some problems, but the developer was able to resolve them by contacting technical support.
Finally, the password of the
ajv-formats package maintainer’s account was successfully reset
Log in and take over the project successfully.
The researchers said they sent their findings to the npm security team before the study was released, and while there was no feedback from the other side, before the study was officially released, npm announced of plans to gradually enforce 2FA (two-factor authentication) for developer accounts.