A security issue has been identified in the NPM package repository that allows the package owner to add any user as a maintainer without obtaining consent from that user and without being informed of the action taken. To compound the problem, once a third party was added as a maintainer, the original author of the package could remove himself from the list of maintainers, leaving the third party as the only person responsible for the package.
The problem could be taken advantage of by the creators of malicious packages to add well-known developers or large companies to the number of maintainers in order to increase user trust and create the illusion that respected developers are responsible for the package, although in fact they have nothing to do with it and do not even know about its existence. For example, an attacker could post a malicious package, change the maintainer, and invite users to test a new development from a large company. The vulnerability could also be used to tarnish the reputation of certain developers, presenting them as the initiators of dubious actions and malicious actions.
GitHub was notified of the issue on February 10th and fixed the issue for npmjs.com on April 26th by requiring users to agree to join another project. Developers of large numbers of NPM packages are encouraged to check their list of packages for bindings that have been added without their consent.
Source: opennet.ru