Crooks deployed malicious ESLint packages that steal software registry login tokens

Hackers compromised the npm account of an ESLint maintainer and published malicious versions of eslint packages to the npm registry.

Crooks compromised an ESLint maintainer’s account last week and uploaded malicious packages that attempted to steal login tokens from the npm software registry. npm is the package manager for JavaScript and the world’s largest software registry.

ESLint is open source “pluggable and configurable linter tool” for identifying and reporting on patterns in JavaScript, it was created by Nicholas Zakas.

The affected packages hosted on npm are:

• eslint-scope version 3.7.2 o, a scope analysis library used by older versions of eslint, and the latest versions of babel-eslint and webpack.
• eslint-config-eslint version 5.0.2 is a configuration used internally by the ESLint team.

Once the tainted packages are installed, they will download and execute code from pastebin.com that was designed to grab the content of the user’s .npmrc file and send the information to the attacker. This file usually contains access tokens for publishing to npm.

“The attacker modified package.json in both eslint-escope@3.7.2 and eslint-config-eslint@5.0.2, adding a postinstall script to run build.js. This script downloads another script from Pastebin and evals its contents.” wrote Henry Zhu about the eslint-scope attack.

“The script extracts the _authToken from a user’s .npmrc and sends it to histats and statcounter inside the Referer header,” 

The packages were quickly removed once they were discovered by maintainers and the content on pastebin.com was taken down.

“On July 12th, 2018, an attacker compromised the npm account of an ESLint maintainer and published malicious versions of the eslint-scope and eslint-config-eslint packages to the npm registry. On installation, the malicious packages downloaded and executed code from pastebin.com which sent the contents of the user’s .npmrc file to the attacker.” reads the security advisory published by ESLint.

“An .npmrc file typically contains access tokens for publishing to npm. The malicious package versions are eslint-scope@3.7.2 and eslint-config-eslint@5.0.2, both of which have been unpublished from npm. The pastebin.com paste linked in these packages has also been taken down.”

The npm login tokens grabbed by malicious packages don’t include user’s npm password, but npm opted to revoke possibly impacted tokens. Users can revoke existing tokens as suggested by npm.

“We have now invalidated all npm tokens issued before 2018-07-12 12:30 UTC, eliminating the possibility of stolen tokens being used maliciously. This is the final immediate operational action we expect to take today.” reads the npm’s incident report. 

Further investigation allowed the maintainers to determine that the account was compromised because the ower had reused the same password on multiple accounts and also didn’t enabled two-factor authentication on their npm account.

ESLint released eslint-scope version 3.7.3 and eslint-config-eslint version 5.0.3.

Users who installed the malicious packages need to update npm.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – ESLint packages, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]