The affected packages hosted on npm are:
Once the tainted packages are installed, they will download and execute code from pastebin.com that was designed to grab the content of the user’s .npmrc file and send the information to the attacker. This file usually contains access tokens for publishing to npm.
“The attacker modified package.json in both firstname.lastname@example.org and email@example.com, adding a postinstall script to run build.js. This script downloads another script from Pastebin and evals its contents.” wrote Henry Zhu about the eslint-scope attack.
“The script extracts the _authToken from a user’s .npmrc and sends it to histats and statcounter inside the Referer header,”
The packages were quickly removed once they were discovered by maintainers and the content on pastebin.com was taken down.
“On July 12th, 2018, an attacker compromised the npm account of an ESLint maintainer and published malicious versions of the eslint-scope and eslint-config-eslint packages to the npm registry. On installation, the malicious packages downloaded and executed code from pastebin.com which sent the contents of the user’s .npmrc file to the attacker.” reads the security advisory published by ESLint.
“An .npmrc file typically contains access tokens for publishing to npm. The malicious package versions are firstname.lastname@example.org and email@example.com, both of which have been unpublished from npm. The pastebin.com paste linked in these packages has also been taken down.”
The npm login tokens grabbed by malicious packages don’t include user’s npm password, but npm opted to revoke possibly impacted tokens. Users can revoke existing tokens as suggested by npm.
“We have now invalidated all npm tokens issued before 2018-07-12 12:30 UTC, eliminating the possibility of stolen tokens being used maliciously. This is the final immediate operational action we expect to take today.” reads the npm’s incident report.
Further investigation allowed the maintainers to determine that the account was compromised because the ower had reused the same password on multiple accounts and also didn’t enabled two-factor authentication on their npm account.
ESLint released eslint-scope version 3.7.3 and eslint-config-eslint version 5.0.3.
Users who installed the malicious packages need to update npm.