ws has four npm publishers. Three haven't published in over a decade:
| npm account |
Last publish |
Inactive |
einaros |
Jun 2013 (v0.4.27) |
13 years |
v1 |
Nov 2014 (v0.5.0) |
~12 years |
3rdeden |
Jun 2016 (v1.1.1) |
10 years |
lpinca is the only active publisher.
Risk: A compromised dormant account (credential stuffing, phished recovery email, token leak) gives the attacker npm publish access to ~220M weekly downloads. Dormant accounts carry higher risk because MFA may not be enabled, recovery emails may be outdated, and password practices from 2013 predate most credential databases.
Two accounts (v1 and 3rdeden) share the 3rd-Eden.com email domain on npm. That same domain hosts the security reporting address in SECURITY.md — a single domain compromise could expose both npm publisher accounts and intercept vulnerability reports.
Fix (~30 seconds):
npm owner rm einaros ws
npm owner rm v1 ws
npm owner rm 3rdeden ws
GitHub contributions and history are unaffected. This only removes npm publish access; it can be re-granted if any of these maintainers return to active publishing.
Additional hardening: npm Staged Publishing adds a human approval step before any publish reaches latest, preventing a single compromised credential from pushing directly.
Publisher data from Commit lifecycle analysis.
ws has four npm publishers. Three haven't published in over a decade:
einarosv13rdedenlpincais the only active publisher.Risk: A compromised dormant account (credential stuffing, phished recovery email, token leak) gives the attacker npm publish access to ~220M weekly downloads. Dormant accounts carry higher risk because MFA may not be enabled, recovery emails may be outdated, and password practices from 2013 predate most credential databases.
Two accounts (
v1and3rdeden) share the3rd-Eden.comemail domain on npm. That same domain hosts the security reporting address inSECURITY.md— a single domain compromise could expose both npm publisher accounts and intercept vulnerability reports.Fix (~30 seconds):
GitHub contributions and history are unaffected. This only removes npm publish access; it can be re-granted if any of these maintainers return to active publishing.
Additional hardening: npm Staged Publishing adds a human approval step before any publish reaches
latest, preventing a single compromised credential from pushing directly.Publisher data from Commit lifecycle analysis.