1. Buy expired NPM maintainer email domains.
2. Re-create maintainer emails
3. Take over packages
4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
5. Enjoy world domination.

I'm sick investigating on privacy violations. Even after many years of research on the companies making money with illegally obtained data such as SafeGraph, I am not used to the violence enabled by such business. I spend weeks, months, usually for free, documenting the links between these companies and governments, law enforcement, etc. Few of my researches were published (The Markup, WST, etc.) but today I feel alone and powerless.