If you want to hijack widely used JavaScript packages, try phishing for devs through these DMARC-shaped holes in key Node.js domains
npmjs.com, nodejs.org open to spoofing, we're warned
Two significant domains for the Node.js community, npmjs.com and nodejs.org, lack DMARC email security policies, an oversight that could allow a miscreant to send easily spoofed emails to the community....