I wouldn't consider a .help domain to be a great choice.

Ive literally never for a support email or any email from a .help domain.

I'm not mocking them, just trying to understand how so many red flags slipped past.

Domain name No auto-fill Unannounced MFA resets Etc...

My point is that nothing could have saved this person except extreme security measures. There's literally no conclusion here besides:

1. Lock everything down so extremely that it's extremely inconvenient to prevent mistakes 99% of people don't make. (How many npm packages vs the total have been hijacked, less than 1%)

2. This person was always going to be a victim eventually... And that's a hard pill to swallow. For me and the maintainer. Being in network security it's my actual nightmare scenario.

The only lesson to be learned is you need extreme security measures for even the most experienced of internet users. This wasn't your grandma clicking a link, it's a guy who's been around for decades in the online / coding world.

It also makes me suspicious but that's a road I'd rather keep myself