eslint-scope v3.7.2 steals NPM tokens

    Colleagues, please note that if you updated nodejs packages today, namely eslint-scope to version 3.7.2, then you need to urgently change the NPM tokens and check the latest commits into your packages.

    Summary information about the incident by reference .

    In short, having received the tokens of one of the eslint-scope developers in an unknown way, package version 3.7.2 was released, collecting tokens from a file


    and sending them to attackers.

    Versions of eslint-scope 3.7.1 and 3.7.3 are secure.

    Version 3.7.2 has been removed from the NPM repository, but may still remain in local caching repositories.

    The following options are offered to verify that you are unaffected:

    for packagejson in $(find ~/code -name 'package.json' -path'*node_modules/eslint-scope/*'); do jq '.version' $packagejson | grep '3.7.2'1>/dev/null; if[[ $? == "0" ]]; then echo $packagejson; fi; done

    2. ( script from here ).

    UPD> This is important, because This package is an eslint dependency. And it seems to be still in babel and webpack.

    Also popular now: