eslint-scope v3.7.2 steals NPM tokens
Colleagues, please note that if you updated nodejs packages today, namely eslint-scope to version 3.7.2, then you need to urgently change the NPM tokens and check the latest commits into your packages.
Summary information about the incident by reference .
In short, having received the tokens of one of the eslint-scope developers in an unknown way, package version 3.7.2 was released, collecting tokens from a file
and sending them to attackers.
Versions of eslint-scope 3.7.1 and 3.7.3 are secure.
Version 3.7.2 has been removed from the NPM repository, but may still remain in local caching repositories.
The following options are offered to verify that you are unaffected:
1.
2. gist.github.com/brownstein/8aaade4953807f512d416da0c6a5a5f6 ( script from here ).
UPD> This is important, because This package is an eslint dependency. And it seems to be still in babel and webpack.
Summary information about the incident by reference .
In short, having received the tokens of one of the eslint-scope developers in an unknown way, package version 3.7.2 was released, collecting tokens from a file
npmrc=path.join(process.env.HOME||process.env.USERPROFILE,'.npmrc');
and sending them to attackers.
Versions of eslint-scope 3.7.1 and 3.7.3 are secure.
Version 3.7.2 has been removed from the NPM repository, but may still remain in local caching repositories.
The following options are offered to verify that you are unaffected:
1.
for packagejson in $(find ~/code -name 'package.json' -path'*node_modules/eslint-scope/*'); do jq '.version' $packagejson | grep '3.7.2'1>/dev/null; if[[ $? == "0" ]]; then echo $packagejson; fi; done
2. gist.github.com/brownstein/8aaade4953807f512d416da0c6a5a5f6 ( script from here ).
UPD> This is important, because This package is an eslint dependency. And it seems to be still in babel and webpack.