> The author unpublished (erm, “liberated”) over 250 NPM modules, making those global names (e.g. “map”, “alert”, “iframe”, “subscription”, etc) available for anyone to register and replace with any code they wish.
And what’s difference, if NPM crew can change owner of any package without judgment, only by e-mail from any random person who claims himself as trademark owner. This random malicious person can seize any package and replace its content with anything else. NPM is broken by design, Azer just shown this security vulnerability to community. Now many JS developers know that NPM is broken and any package can be tampered. No trust anymore.