Following the compromise of an ESLint maintainer’s account last week, malicious packages that attempted to steal login tokens from the npm software registry were published without authorization.
Originally created by Nicholas Zakas, ESLint is described as an open source “pluggable and configurable linter tool” for identifying and reporting on patterns in JavaScript.
The issue affected version 3.7.2 of the popular package eslint-scope, as well as version 5.0.2 of eslint-config-eslint. The former is a scope analysis library used by older versions of eslint, and the latest versions of babel-eslint and webpack, while the latter is a configuration used internally by the ESLint team.
Both packages were hosted on npm, “the package manager for JavaScript and the world’s largest software registry,” which has faced similar incidents before.
Upon installation, the rogue packages would download and execute code from pastebin.com. The code was designed to grab the content of the user’s .npmrc file, which usually contains access tokens for publishing to npm, and send the information to the attacker.
“The script extracts the _authToken from a user’s .npmrc and sends it to histats and statcounter inside the Referer header,” Henry Zhu notes.
Both of the malicious packages were unpublished from npm soon after the issue was discovered. Furthermore, the pastebin.com paste linked in these packages was taken down as well, ESLint explains in a post.
The npm login tokens targeted by the malicious code would not provide the attacker with the user’s npm password, but npm nonetheless decided to revoke possibly impacted tokens. Users too have the option to revoke existing tokens and npm advised them to do so.
“We have now invalidated all npm tokens issued before 2018-07-12 12:30 UTC, eliminating the possibility of stolen tokens being used maliciously,” npm said.
The compromise was apparently possible because the maintainer had reused the same password on multiple accounts and also didn’t have two-factor authentication enabled on their npm account.
To ensure users are no longer at risk, ESLint published eslint-scope version 3.7.3 (with code from version 3.7.1) and eslint-config-eslint version 5.0.3.
The publishing of the updated packages doesn’t resolve the issue for all users, as those who installed the rogue packages would still need to do npm update or equivalent.