If you need to report a security vulnerability. Please visit https://npmjs.com/support.
If your issue is specific to your account, such as lost credentials or problems with two-factor authentication, contacting our support team is more appropriate.
We review all security reports on the next business day. Note that
the npm staff is generally offline for most US holidays, but please do
not delay your report! Our off-hours support staff can fix many
issues, and will alert our security point of contact if needed.
Security Point of Contact
Any security tickets opened using https://npmjs.com/support
will be escalated to the security point of contact, who will delegate incident response
activities as appropriate. This is the best and fastest way to contact npm about any security-related matter.
Critical Updates And Security Notices
We learn about critical software updates and security threats from a
variety of sources: