Dependency Hijaking

Package owners can use email with a custom domain name to register with various package managers such as npm, pypi, etc. If a domain name is expired, an attacker can register this domain name and gain access to an account through password recovery.

"Zero-Days" Without Incident - Compromising Angular via Expired npm Publisher Email Domains – The Hacker BlogThe Hacker Blog