Although nothing malicious has happened yet, that change in the readme ("this package name is for sale") is spammy and concerning. Kudos on niftylettuce (love your blog!) for raising awareness.
This is yet another example of a (by now fairly known) vulnerability in the npm package ownership transfer process. Just a few months ago, there was a big drama with malicious code found in a popular package `event-stream`, placed by a new unknown owner.
I like one of the ideas in the GitHub issue, that a change in package ownership should be considered a major semver bump. At least that might reduce the reach of a bad actor who would buy a popular package for exploitation.
Woof. I didn't even notice the "for sale" part at first. That's probably the biggest red flag. You should never sell a backdoor into thousands of codebases to the highest bidder.
Of course, the real problem is thousands of codebases shouldn't be banking on the honor system for stuff like this.
This is yet another example of a (by now fairly known) vulnerability in the npm package ownership transfer process. Just a few months ago, there was a big drama with malicious code found in a popular package `event-stream`, placed by a new unknown owner.
I like one of the ideas in the GitHub issue, that a change in package ownership should be considered a major semver bump. At least that might reduce the reach of a bad actor who would buy a popular package for exploitation.