RunKit is in the unique position where we have the built source of every package on npm readily available, so we've kicked off an initial simple scan of every package currently published to see if we detect the additional presence of this virus in the registry. The process is ongoing and we will be updating this README with our findings, as well as filing issues on any projects if we get a positive hit. We have already found one instance that was previously unreported that is detailed below. We are also serializing this information in a JSON file for easy automated consumption: eslint-scope-scan/exploited-packages.json
This is a fairly simplistic scan, just searching for the strings
sstatic1.histats.com and raw/XLeVP82h, designed to quickly mitigate and
discover any pure copies of this virus, and probably won't catch cases where the
code has been significantly altered. We are open to suggestions from the
community about additional steps we could take. Again, we're in a position few
others are to actually check all the source, and so we feel it is our
responsibility to help in any way we can.
Ultimately, we are hoping that this was caught fast enough to not have had a chance to spread, and that this work will be in an abundance of caution. The node community is certainly large enough where "enough eyes [may] make every vulnerability shallow", and the already great (and quick!) work by the eslint-scope team and npm have hopefully stopped this before it had a chance to grow.
-
status bug unpublished eslint-scope #39 The package that we believe had the original vulnerability.
-
status bug unpublished eslint-scope #39 A related package that was quickly discovered to also contain the vulnerability.
-
status bug upublished eslint-config-airbnb-standard #3 Update: npm has unpublished this package. It was confirmed that the virus will still take affect even though it was in
bundledDependencies, so please remove this version of this package if you are using it.RunKit's virus scan detected that
eslint-config-airbnb-standard@2.0.0containseslint-scope@3.7.2in itsbundleDependencies. Unlikedependencies,bundledDependenciesare not downloaded separately from npm at install but rather included directly in the tarball. This means that this version will always be susceptible to the bug despite not having necessarily been directly compromised itself, since it will always contain the originally affectedeslint-scope.Given that the virus takes action during installation and eslint-scope is present inIt is now confirmed that the virus is active in this package. Despite being inbundledDependencies, it is possible that the bug won't have a chance to take effect. However, we have not thoroughly tested this and it is recommended you move away from this version either way. Version 2.1.0 does not appear to have the vulnerability.bundledDependencies, the virus will still run the post-hook script on install, it is important to remove this package if you are using it