| A | B | C | D | E | F | G | H | |
|---|---|---|---|---|---|---|---|---|
1 | NPM Supply Chain Security | |||||||
2 | WIP. Feel free to try password reset processes just far enough to take note of them (but don't actually do resets, that is illegal). Comment with what you find! Scripts to help automate this are very welcome. | |||||||
3 | If you like this kind of research and want to get to know us, chat with us on #!:matrix.org or irc.hashbang.sh/#! - Let's shine a spotlight on weak links in open source software security to protect everyone. | |||||||
4 | If your company relys on packages authored by one of these people, perhaps email them and offer to buy them a hardware 2FA device like a Yubikey, and disable insecure backup recovery methods | |||||||
5 | More importantly, it is worth understanding that NPM itself does not have any phishing resistant 2FA methods (like U2F) or signed package support. They have rejected these ideas, but let's prove to them why they need it. | |||||||
6 | Username | # Maintained | # Downstream | 2FA Method (Least Secure) | Notes | Contacted | ||
7 | mathias | mathias@qiwi.be | 606 | 39856 | SMS | had a yubikey option, but also had SMS recovery option | ||
8 | tjholowaychuk | tj@vision-media.ca | 543 | 51276 | ||||
9 | jdalton | john.david.dalton@gmail.com | 480 | 38447 | SMS, Reset Questions,, Backup E-mail | Contacted via twitter 1/11 | x | |
10 | mikeal | mikeal.rogers@gmail.com | 206 | 37363 | SMS, Reset Question, backup e-mail | Contacted via twitter 1/11 | x | |
11 | somekittens | rkoutnik@gmail.com | 23 | 10787 | SMS, Recovery Question, backup e-mail | aol backup e-mail | ||
12 | nylen | jnylen@gmail.com | 41 | 19504 | SMS, Reset Question, backup e-mail | |||
13 | shadowspawn | npm_j@ruru.gen.nz | 5 | 10790 | ||||
14 | fredkschott | fkschott@gmail.com | 72 | 18194 | SMS | Comcast recovery e-mail | ||
15 | simov | simeonvelichkov@gmail.com | 75 | 19555 | SMS, Reset Question, backup e-mail | Contacted via e-mail 1/11 | x | |
16 | abetomo | abe@enzou.tokyo | 11 | 10786 | ||||
17 | 1000ch | shogosensui@gmail.com | 132 | 803 | SMS, backup e-mail | hotmail account | ||
18 | 11bit | buryak.ivan@yandex.ru | 1934 | |||||
19 | 3rdeden | npm@3rd-Eden.com | 8639 | |||||
20 | aaron | aaron.heckmann+github@gmail.com | 3464 | |||||
21 | aaronabramov | aaron@abramov.io | 2609 | |||||
22 | abernix | npmjs@jro.cc | 18 | |||||
23 | aboutblank | njuzhaoguoyan@foxmail.com | 0 | |||||
24 | acdlite | acdlite@me.com | 19271 | |||||
25 | acdlite | npm@andrewclark.io | 19271 | |||||
26 | adam_baldwin | evilpacket@gmail.com | 9619 | |||||
27 | adamvr | adam.rudd@uqconnect.edu.au | 297 | |||||
28 | addyosmani | addyosmani@gmail.com | 13220 | |||||
29 | adrianheine | mail@adrianheine.de | 800 | |||||
30 | aearly | alexander.early@gmail.com | 16994 | |||||
31 | afc163 | afc163@gmail.com | 1129 | |||||
32 | ahdinosaur | michael.williams@enspiral.com | 18344 | |||||
33 | aheckmann | aaron.heckmann+github@gmail.com | 1683 | |||||
34 | ahmadnassri | ahmad@ahmadnassri.com | 8000 | |||||
35 | ai | andrey@sitnik.ru | 7614 | |||||
36 | aikoven | dan.lytkin@gmail.com | 567 | |||||
37 | airbnbeng | opensource@airbnb.com | 6976 | |||||
38 | airbnb | jordan.harband+npm@airbnb.com | ||||||
39 | ajedi32 | andrewm.bpi@gmail.com | 334 | |||||
40 | akiran | kiran@neostack.com | 1662 | |||||
41 | akryum | guillaume.b.chau@gmail.com | 65 | |||||
42 | aleclarson | alec.stanford.larson@gmail.com | 10 | |||||
43 | alex3165 | alexr.3165@gmail.com | 122 | |||||
44 | alexaltea | alexandro@phi.nz | 616 | |||||
45 | alexgilbert | alex@punkave.com | 124 | |||||
46 | alexgorbatchev | alex.gorbatchev@gmail.com | 3685 | |||||
47 | alexindigo | iam@alexindigo.com | 838 | |||||
48 | alexlamsl | alexlamsl@gmail.com | 14318 | |||||
49 | alexmesser | dmzt08@gmail.com | 3 | |||||
50 | alubbe | npm@lubbe.org | 101 | |||||
51 | am11 | adeelbm@outlook.com | 2740 | |||||
52 | amasad | amjad.masad@gmail.com | 1317 | |||||
53 | amavisca | chris.amavisca@gmail.com | 2088 | |||||
54 | amidknight | josh@8fold.pro | 2293 | |||||
55 | amitosh | amitosh.swain@gmail.com | 510 | |||||
56 | ampedandwired | charles.blaxland@gmail.com | 1443 | |||||
57 | amphro | amphro@gmail.com | 0 | |||||
58 | amzn-oss | osa-3p@amazon.com | 1812 | |||||
59 | analog-nico | nicolai.kamenzky@testrails.org | 1198 | |||||
60 | anandthakker | vestibule@anandthakker.net | 18042 | |||||
61 | anatrajkovska | ana.trajkovska2015@gmail.com | 616 | |||||
62 | andarist | mateuszburzynski@gmail.com | 1229 | |||||
63 | andreiglingeanu | andrei.glingeanu@gmail.com | 17 | |||||
64 | andrewnez | andrewnez@gmail.com | 2794 | |||||
65 | andybitz | artzbitz@gmail.com | 616 | |||||
66 | andyearnshaw | andyearnshaw+npm@gmail.com | 117 | |||||
67 | andykog | mail@andykog.com | 127 | |||||
68 | angularcore | angular-core+npm@google.com | 4256 | |||||
69 | angular-devkit | hansl@google.com | 0 | |||||
70 | angular | devops+npm@angular.io | 4292 | |||||
71 | annekimsey | anne@npmjs.com | 0 | |||||
72 | anthonyshort | antshort@gmail.com | 2556 | |||||
73 | antonkovalyov | anton@kovalyov.net | 14176 | |||||
74 | anycli-bot | jdxcode+anycli@gmail.com | 0 | |||||
75 | aomarks | aomarks@google.com | 181 | |||||
76 | apollo-bot | npm@apollographql.com | 70 | |||||
77 | arb | arbretz@gmail.com | 71 | |||||
78 | ariaminaei | aria.minaei@gmail.com | 160 | |||||
79 | aromano | aromano@preemptsecurity.com | 1154 | |||||
80 | arschmitz | arschmitz@gmail.com | 162 | |||||
81 | arthurschreiber | schreiber.arthur@googlemail.com | 268 | |||||
82 | arthurvr | contact@arthurverschaeve.be | 1972 | |||||
83 | artokun | art.longbottom.jr@gmail.com | 50 | |||||
84 | artur | arturadib@gmail.com | 3127 | |||||
85 | arunoda | arunoda.susiripala@gmail.com | 831 | |||||
86 | arzafran | franco@basement.studio | 631 | |||||
87 | aseemk | aseem.kishore@gmail.com | 1439 | |||||
88 | ashaffer88 | darawk@gmail.com | 17710 | |||||
89 | asiandrummer | asiandrummer@gmail.com | 303 | |||||
90 | aslushnikov | aslushnikov@gmail.com | 0 | |||||
91 | atcastle | atcastle@gmail.com | 616 | |||||
92 | austinstarin | austin@punkave.com | 120 | |||||
93 | avianflu | charlie@charlieistheman.com | 1061 | |||||
94 | awaterma | awaterma@awaterma.net | 183 | |||||
95 | aweary | Kierkegaurd@gmail.com | 100 | |||||
96 | aws-sdk-bot | aws-sdk-js@amazon.com | 1809 | |||||
97 | axic | alex@rtfs.hu | 197 | |||||
98 | ayoung | andrewdyoung@gmail.com | 338 | |||||
99 | az7arul | az7arul@gmail.com | 607 | |||||
100 | azakus | dfreedm2@gmail.com | 390 | |||||