Skip to content

Dormant npm publish access — 3 accounts inactive 10–13 years #2330

Description

@piiiico

ws has four npm publishers. Three haven't published in over a decade:

npm account Last publish Inactive
einaros Jun 2013 (v0.4.27) 13 years
v1 Nov 2014 (v0.5.0) ~12 years
3rdeden Jun 2016 (v1.1.1) 10 years

lpinca is the only active publisher.

Risk: A compromised dormant account (credential stuffing, phished recovery email, token leak) gives the attacker npm publish access to ~220M weekly downloads. Dormant accounts carry higher risk because MFA may not be enabled, recovery emails may be outdated, and password practices from 2013 predate most credential databases.

Two accounts (v1 and 3rdeden) share the 3rd-Eden.com email domain on npm. That same domain hosts the security reporting address in SECURITY.md — a single domain compromise could expose both npm publisher accounts and intercept vulnerability reports.

Fix (~30 seconds):

npm owner rm einaros ws
npm owner rm v1 ws
npm owner rm 3rdeden ws

GitHub contributions and history are unaffected. This only removes npm publish access; it can be re-granted if any of these maintainers return to active publishing.

Additional hardening: npm Staged Publishing adds a human approval step before any publish reaches latest, preventing a single compromised credential from pushing directly.

Publisher data from Commit lifecycle analysis.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions