The affected packages hosted on npm are:
Once the tainted packages are installed, they will download and execute code from pastebin.com that was designed to grab the content of the user’s .npmrc file and send the information to the attacker. This file usually contains access tokens for publishing to npm.
“The attacker modified package.json in both email@example.com and firstname.lastname@example.org, adding a postinstall script to run build.js. This script downloads another script from Pastebin and evals its contents.” wrote Henry Zhu about the eslint-scope attack.
“The script extracts the _authToken from a user’s .npmrc and sends it to histats and statcounter inside the Referer header,”
The packages were quickly removed once they were discovered by maintainers and the content on pastebin.com was taken down.
“On July 12th, 2018, an attacker compromised the npm account of an ESLint maintainer and published malicious versions of the eslint-scope and eslint-config-eslint packages to the npm registry. On installation, the malicious packages downloaded and executed code from pastebin.com which sent the contents of the user’s .npmrc file to the attacker.” reads the security advisory published by ESLint.
“An .npmrc file typically contains access tokens for publishing to npm. The malicious package versions are email@example.com and firstname.lastname@example.org, both of which have been unpublished from npm. The pastebin.com paste linked in these packages has also been taken down.”
The npm login tokens grabbed by malicious packages don’t include user’s npm password, but npm opted to revoke possibly impacted tokens. Users can revoke existing tokens as suggested by npm.
“We have now invalidated all npm tokens issued before 2018-07-12 12:30 UTC, eliminating the possibility of stolen tokens being used maliciously. This is the final immediate operational action we expect to take today.” reads the npm’s incident report.
Further investigation allowed the maintainers to determine that the account was compromised because the ower had reused the same password on multiple accounts and also didn’t enabled two-factor authentication on their npm account.
ESLint released eslint-scope version 3.7.3 and eslint-config-eslint version 5.0.3.
Users who installed the malicious packages need to update npm.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.