The situation with npm package integrity is getting quite ridiculous.
Just to clarify what domain did they let expire? Is this the email in the author field of package.json? So the attack vector is to take that over that domain, run an email server, and reset the account password on npmjs.org?
Just to clarify what domain did they let expire? Is this the email in the author field of package.json? So the attack vector is to take that over that domain, run an email server, and reset the account password on npmjs.org?