PSA: You have 28 days to respond to NPM package takeovers, or you'll lose them

10 points

8 years ago

Learned the hard way. I got an email from a person trying to take over one of my NPM packages on November 16th. I didn't see the email until today (I don't check email very often), and NPM had already transferred the package to the third party on December 15th without my consent.

Turns out, it's laid out in the NPM policy. You have exactly 4 weeks to respond to a takeover request, or you lose the package: https://www.npmjs.com/policies/disputes

Now I've set up a canned response in Gmail to automatically respond to NPM support if they try to do it again. Maybe that will help. Makes me very nervous about my other packages though.

Seems like a pretty good attack vector for hackers.

6 comments