RCE via npm misconfig -- installing internal libraries from the public registry

A Bug Bounty researcher identified an issue where certain development projects defaulted to the public NPM registry, instead of using the intended internal packages. Since the packages on the public registry did not exist, the researcher created these and observed they were downloaded. Had these packages been registered with malicious intent, it is possible for internal development to have included this code. While there are additional checks and controls in the development pipeline, this could have caused significant issues for internal systems. Thanks to the researcher's report, PayPal was able to mitigate the issue with the public registry and confirmed no evidence of prior malicious activity.