Given the Twitter web interface is just an client of the Twitter semi-public API, I highly doubt this is it.

As long as the API isn't running on node, right? :)

I'd suspect the web interface has UI that's wrapped around the semi-public API. It's that web interface I'm worried about.

But the twitter web interface has access to post (since you can post via it), so it would be possible.

The Twitter web interface doesnt - it's just a javascript app that runs in your browser. To post a tweet, it uses the same public API that all third parties use.

To posit that it was an npm vunrebility in the frontend caused this hack implies that anyone can just curl their way into someone elses account.

Compromising the web interface would mean you can steal session tokens.

I love this theory, but at the same time, I feel that it's unlikely. Without knowing how their back-end is put together, that'd be like... trying to smuggle in a robot into an office building to break into a safe that's inside without knowing the floor plan, what kind of knobs are on the doors, etc.

Could have paid/convinced/threatened an intern/employee to scope it out and then deployed the hack externally to bypass safety measures. Complicated but doable.

Or disgruntled ex-employee

Doubtful: It is well documented that Twitter has re-written many parts of the FE/BE framework, so I think it likely that their NIH attitude might be a benefit.