Last week, the removal of left-pad broke the internet. A nine-line utility disappeared from npm, and suddenly thousands of builds failed across the globe. React, Babel, Node projects… you name it, all brought down by a single missing dependency!

For a moment it felt like a funny quirk of the ecosystem, a meme-worthy accident worth for a bit of self-reflection and a couple of funny memes. But if you step back, the bigger picture is terrifying, as the real danger isn’t when a package disappears, it’s when a package is taken over.

Software Supply Chains Are Fragile

We don’t really build JavaScript applications anymore. We assemble them from thousands of tiny packages, each depending on dozens of others, often maintained by individuals in their spare time. The package left-pad taught us how fragile this ecosystem is where you just pull one thread and the whole scarf rips apart.

But… what if instead of pulling the thread, someone quietly poisoned it? Imagine if dependencies don’t just vanish and, instead, they silently exfiltrate data, steal credentials, or ship backdoors. That’s a supply chain attack. And npm is the perfect playground.

NPM is young, but it’s already full of packages that haven’t been touched in years. As time goes on, more maintainers will abandon their projects. More custom domains will expire. More accounts will be vulnerable.

The Email Takeover Scenario

Here’s a specific vector that should make us all nervous:

1. A maintainer registers their npm account with a custom domain email (e.g. [email protected]).
2. Years go by. The package is stable, widely used, but the maintainer is inactive. Maybe they’ve left the industry. Maybe they’ve even passed away.
3. Their custom domain, supercooldevguy.com, expires.
4. A hacker buys the domain, sets up some MX records, and now receives all emails for that domain.
5. They request a password reset from npm (or GitHub).
6. With full account access, they publish a new version of the package with malicious code.

No package deletions. No warnings. Just a regular update. But an update that millions of downstream projects will automatically trust and install.

This isn’t science fiction. It’s simple, cheap, and inevitable if nothing changes. What happened with left-pad was an accident. The next incident could be not, and orders of magnitude worse.

What Needs to Change

Maintainers should use stable, long-term email addresses, enable 2FA wherever possible, and transfer ownership if they’re no longer active. NPM should create policies for abandoned packages, add stronger identity checks, and support package signing so consumers can verify the source. And, finally, developers shouldn’t blindly trust updates—use lockfiles, audit dependencies, and treat new versions like untrusted input.

The left-pad crisis was shocking, but it may also was a gift. It served as a glimpse into just how fragile our dependency chains are.

We dodged a bullet this time . The question isn’t if a large-scale compromise will happen. It’s when.