Maintainer & Account Takeover

The most dangerous supply-chain attacks don't use a fake package, they use a real one. If an attacker can take over the account that publishes a popular library, they can ship malware to everyone who updates, with full trust already established.

How accounts get taken over

Why it's so effective

Signals that catch it

How Verifi tracks provenance →