ESLint Submodules Hacked: Devs Advised to Enable Layered Authentication, Renew Tokens
An attacker reportedly hacked into popular JavaScript code library ESLint to compromise submodule packages eslint-scope and eslint-config-eslint, injecting a malicious code to steal users’ npm credentials using a valid maintainer’s account credentials. ESLint is an open source utility for JavaScript or ECMAScript used for analyzing and reporting on patterns and bugs, making published projects more consistent. npm has revoked all access tokens created before July 12, 2:30pm UTC as a precaution.
According to the preliminary report, the hacker gained access between July 11 and 12 to generate a new npm token for authentication of eslint-config-eslint version 5.0.2 and eslint-scope version 3.7.2 in the Javascript packages repository. Both submodules were injected with a malicious postinstall script that extracts the local server’s .npmrc authentication tokens, affecting an estimated 4,500 users’ login credentials. The compromise was discovered after a user reported a possible virus infection, and ESLint’s postmortem timeline post shows that the issue was resolved an hour after the said report. The attacker got npm credentials from a third party breach that exposed the publisher’s login access with reused npm passwords on other sites.
[Read: Malicious JavaScript infects websites]
The open source utility records an average of two million downloads weekly, and developers who used the packages between the affected dates are advised to change their npm passwords and enable two-factor authentication (2FA) immediately. The stolen npm credentials can be used to inject malicious code or malware into other Javascript libraries, toolkits, and code projects available for publishing via npm.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.