lol granted! But notice how in that universe since npm has to send the link, then access to the link is coupled to access to the email address, serving as an auth factor.

In the attack described above, the attacker did not have access to the victim's email address.