Tl;dr

[EDIT 2018-07-16] The official ESLint post-mortem has been released . NPM already revoked all tokens at once so you probably don’t need to do this yourself.

A backdoor was introduced on eslint-scope (version 3.7.2) upon which ESLint depends.

It seems that the goal of this hack was to leak NPM tokens.

We advise you to take the following actions as soon as possible:

Revoke all your NPM tokens at once

Enable 2FA on your NPM account for all scopes

Audit the NPM packages you own to ensure nobody published new versions without you knowing

If you are running a private registry or a mirror, delete this package

Ensure you don’t have eslint-scope version 3.7.2 on your computers

Context

On 2018-07-12 at 1:17PM GMT Andrei Mihailov (@pronebird) opened an issue on eslint-scope 3.7.2.

It shows that the said module was backdoored with the following script:

View the code on Gist.

This script simply fetches the content of a pastebin document and eval it in the current Node.js process.

The pastebin document has already been unpublished, but thankfully someone copied it before:

View the code on Gist.

This script looks up for a file named .npmrc on the current user home. This is where NPM CLI stores the user token. This token is used to authenticate a user against the NPM registry.

When the .npmrc file is found, the script identifies the user token and leaks it through the referer in a GET request to web analytics servers.

It is still not clear how this backdoor made its way to eslint-scope yet but as of today, version 3.7.2 has been unpublished from the registry.

Impact

ESLint-scope is a direct dependency of the extremely popular ESLint module. Most JavaScript applications (Backend or Frontend) often actually use ESLint somewhere in their building toolchain.

We highly recommend you revoke all your NPM tokens at once. An attacker could use them to publish malicious packages on your behalf or access your organization private packages.

If you did not do it yet, enable 2FA on your NPM account now.

Also, if you run a private registry or a mirror, you should immediately unpublish eslint-scope@3.7.2.

Please ensure this version of the package is not installed anywhere on your system. Even if the attack payload was removed from pastebin, one could theoretically change that again and run any arbitrary script on your machines.