Hackers compromised an ESLint maintainer’s account and uploaded malicious packages attempting to steal login tokens from the npm software registry.
The affected packages hosted on npm are:
- eslint-scope version 3.7.2 o, a scope analysis library used by older versions of eslint, and the latest versions of babel-eslint and webpack.
- Eslint-config-eslint version 5.0.2 is a configuration used internally by the ESLint team.
Being installed, the tainted packages will download and execute code from pastebin.com that was designed to grab the content of the user’s .npmrc file and send the data to the hacker. Most often, this file contains access tokens for publishing to npm.
“The attacker modified package.json in both eslint-escope@3.7.2 and eslint-config-eslint@5.0.2, adding a postinstall script to run build.js. This script downloads another script from Pastebin and evals its contents.” Henry Zhu said.
“The script extracts the _authToken from a user’s .npmrc and sends it to histats and statcounter inside the Referer header.”
Fortunately, the maintainers removed the malicious packages right after they were found and the content on pastebin.com was taken down.
“On July 12th, 2018, an attacker compromised the npm account of an ESLint maintainer and published malicious versions of the eslint-scope and eslint-config-eslint packages to the npm registry. On installation, the malicious packages downloaded and executed code from pastebin.com which sent the contents of the user’s .npmrc file to the attacker.” the ESLint’s security advisory reads.
“An .npmrc file typically contains access tokens for publishing to npm. The malicious package versions are eslint-scope@3.7.2 and eslint-config-eslint@5.0.2, both of which have been unpublished from npm. The pastebin.com paste linked in these packages has also been taken down.”
Despite the fact that the npm login tokens stolen by the tainted packages don’t include user’s npm password, the npm opted to revoke possibly impacted tokens. Also, users who installed the malicious packages should update npm.
“We have now invalidated all npm tokens issued before 2018-07-12 12:30 UTC, eliminating the possibility of stolen tokens being used maliciously. This is the final immediate operational action we expect to take today.” the npm’s incident report states.
The maintainers were able to determine that the account was compromised due to the fact that the ower had reused the same password on multiple accounts and didn’t enabled two-factor authentication on their npm account.
ESLint released eslint-scope version 3.7.3 and eslint-config-eslint version 5.0.3.
