This article is more than 1 year old

Now Pushing Malware: NPM package dev logins slurped by hacked tool popular with coders

Tokens killed after eslint-scope utility compromised

Updated An unfortunate chain reaction was averted today after miscreants tampered with a widely used JavaScript programming tool to steal other developers' NPM login tokens.

The open-source utility eslint-scope was altered by hackers so that, when used to analyze source code, it would copy the contents of the user's ~/.npmrc file to an outside server via HTTPS – that file would include the victim's login token.

NPM is the JavaScript world's package manager for libraries, toolkits, and other code projects. With those tokens in hand, scumbags could have started altering other packages to further collect login tokens, insert malicious code into programs, and so on, possibly initiating a chain reaction of cyber-crime.

Although eslint-scope has more than two million weekly downloads, we're told only a small number of people were stung by the compromised version, and had their tokens swiped. Tokens issued before 1230 UTC today have been revoked, people should change their NPM passwords and enable two-factor authentication, and an investigation is underway to discover if any NOPM packages have been vandalized via stolen credentials.


Version 3.7.2 of eslint-scope was pushed to NPM by miscreants who gained control of a maintainer's NPM account for the software: that's the poisoned version that harvested people's NPM login tokens. It was taken offline within two hours of going live.

The credential thieves could have used the tokens to gain access to other NPM-managed projects that could, again, be used to spread more malware. NPM users download billions of packages every week.

In other words, someone lost control their NPM account to an attacker, who then implanted malicious code in a popular tool maintained by that someone to gain access to NPM accounts to potentially infect further packages.

Headshot of Trojan horse

This typosquatting attack on npm went undetected for 2 weeks


Understandably, NPM has already invalidated tokens issued before 2018-07-12 1230 UTC in an attempt to prevent the further spread of evil code. Unfortunately, the damage may have already been done. NPM said "a small number" of developers, and potentially their projects, were affected by this.

"We believe the vector for this compromise was stolen credentials from one of the authorized publishers of the eslint-scope package," NPM said in a statement on its website.

"We recommend all package authors enable two-factor auth to protect their accounts from this kind of attack."

The hijack is believed to have kicked off some time last night, with an eslint-scope maintainer's account receiving a new unexpected NPM token overnight, tipping off coders to a possible security breach.

"One of our maintainers did observe that a new npm token was generated overnight (said maintainer was asleep)," explained eslint dev Kevin Partington.

Anyone who used the infected version of eslint-scope has, by now, had their NPM tokens revoked, so that part of the attack has been mitigated. They should also delete the software, and install a known good version.

NPM said it will conduct a further audit of all of its managed projects to determine just how bad the breach really was. ®

Updated to add

We understand some 4,500 login tokens were potentially swiped by the rogue JavaScript utility, although there has been no sign of any malicious activity beyond the compromise of eslint-scope. NPM's CTO CJ Silverio dropped us a note to explain:

Early in the morning of July 12, an individual gained access to an npm publisher’s account and used this access to publish an unauthorized update of a popular package. The update included malicious code that would have attempted to access the accounts of additional npm users by obtaining these accounts’ access tokens.

We determined that access tokens for approximately 4,500 accounts could have been obtained before we acted to close this vulnerability. However, we have not found evidence that any tokens were actually obtained or used to access any account during this window.

As a precautionary measure, npm has revoked every access token that had been created prior to 2:30 pm UTC (7:30 am California time) today. This measure requires every registered npm user to re-authenticate to and generate new access tokens, but it ensures that there is no way for this morning’s vulnerability to persist or spread. We are additionally conducting a full forensic analysis to confirm that no other accounts were accessed or used to publish unauthorized code.

This morning’s incident did not happen because of an breach, but because of a breach elsewhere that exposed a publisher’s npm credentials. To mitigate this risk, we encourage every user to enable two-factor authentication, with which this morning’s incident would have been impossible.

More about


Send us news

Other stories you might like