On July twelfth, 2018, an attacker compromised the npm fable of an ESLint maintainer and printed malicious versions of the
eslint-config-eslint packages to the npm registry. On set up, the malicious packages downloaded and executed code from
pastebin.com which sent the contents of the actual person’s
.npmrc file to the attacker. An
.npmrc file in general contains compile entry to tokens for publishing to npm.
The malicious equipment versions are
[email protected] and
[email protected], each and every of which had been unpublished from npm. The
pastebin.com paste linked in these packages has additionally been taken down.
npm has revoked all compile entry to tokens issued sooner than 2018-07-12 12:30 UTC. As a end result, all compile entry to tokens compromised by this assault ought to no longer be usable.
The maintainer whose fable was once compromised had reused their npm password on lots of various sites and did no longer enjoy two-component authentication enabled on their npm fable.
We, the ESLint crew, are sorry for allowing this to happen. We hope that various equipment maintainers can be taught from our errors and enhance the safety of the total npm ecosystem.
Further indispensable facets on the assault may perchance well presumably be learned here.
With the hindsight of this incident, now we enjoy just a few suggestions for npm equipment maintainers and customers in due course:
- Bundle maintainers and customers ought to lead definite of reusing the same password during just a few various sites. A password supervisor love 1Password or LastPass can support with this.
- Bundle maintainers ought to enable npm two-component authentication. npm has a handbook here.
- Must you utilize Lerna, that you may perchance practice this direct.
- Bundle maintainers ought to audit and limit the form of oldsters who enjoy compile entry to to publish on npm.
- Bundle maintainers ought to enjoy a study out with the utilize of any services that auto-merge dependency upgrades.
- Utility developers ought to utilize a lockfile (
yarn.lock) to close the auto-set up of most up-to-the-minute packages.
- Ahead of the incident: The attacker presumably learned the maintainer’s reused email and password in a third-birthday party breach and archaic them to log in to the maintainer’s npm fable.
- Early morning July twelfth, 2018: The attacker generated an authentication token within the maintainer’s npm fable.
2018-07-12 9:forty 9 UTC: The attacker archaic the generated authentication token to publish
[email protected], which contained a malicious
postinstallscript that attempts to exfiltrate the native machine’s
2018-07-12 10:25 UTC: The attacker unpublished
2018-07-12 10:forty UTC: The attacker printed
[email protected], which contained the same malicious
- 2018-07-12 eleven:17 UTC: A particular person posted eslint/eslint-scope#39, notifying the ESLint crew of the direct.
- 2018-07-12 12:27 UTC: The pastebin.com hyperlink containing malicious code was once taken down.
2018-07-12 12:37 UTC: The npm crew unpublished
[email protected]after being contacted by an ESLint maintainer.
2018-07-12 17:Forty one UTC: The ESLint crew printed
[email protected]with the code from
[email protected]in suppose that caches may perchance well gain up the fresh version.
- 2018-07-12 18:42 UTC: npm revoked all compile entry to tokens generated sooner than 2018-07-12 12:30 UTC.