How can you tell an email or domain really belongs to npm and isn't a phishing attempt? Here's a full list:
We own these but don't use them for anything (yet).
This is a living document and may be updated from time to time.
Please refer to the git history for this
to view the changes.
Copyright (C) npm, Inc., All rights reserved
This document may be reused under a Creative Commons