I suspect OP conflated "I am reporting malware in a package on npmjs.com" with "I have discovered a bug or vulnerability in a package on npmjs.com." The later shows what they report[0] whereas the former does allow for a report to be made.
> won't find your AirTag if they have Android which kind of defeats the purpose
While they're alone in a car, sure. But as soon as they're around folks with iPhones, they're tracked just fine and will never get the notifications the husband in the article got.
Doesn’t prescribe one, no, but when it is over HTTP, it’d be perfectly reasonable to have it accept QUERY for non-mutating requests, like it can currently use GET or POST.
You should consider making this into a browser extension. For this kind of script it's rather easy and is way easier for users to install. For an example with a very similar configuration (array of strings) that is a configurable extension instead, checkout my WaPo Metal Taglines greasemonkey script[0] and extension[1]
There's also https://snapdrop.net which seems extremely similar to sharedrop.io but has an additional useful feature of letting you send messages which I sometimes use to send links to devices that aren't logged into any service.
