Malicious ESLint Packages Steal Software Registry Login Tokens

Following the compromise of an ESLint maintainer’s account last week, malicious packages that attempted to steal login tokens from the npm software registry were published without authorization.  Originally created by Nicholas Zakas, ESLint is described as an open source "pluggable and configurable linter tool" for identifying and reporting on patterns in JavaScript. The issue affected version 3.7.2 of the popular package eslint-scope, as well as version 5.0.2 of eslint-config-eslint. The former is a scope analysis library used by older versions of eslint, and the latest versions of babel-eslint and webpack, while the latter is a configuration used internally by the ESLint team. Both packages were hosted on npm, “the package manager for JavaScript and the world’s largest software registry,” which has faced similar incidents before.  Upon installation, the rogue packages would download and execute code from pastebin.com. The code was designed to grab the content of the user’s .npmrc file, which usually contains access tokens for publishing to npm, and send the information to the attacker. “The script extracts the _authToken from a user's .npmrc and sends it to histats and statcounter inside the Referer header,” Henry Zhu notes. Both of the malicious packages were unpublished from npm soon after the issue was discovered. Furthermore, the pastebin.com paste linked in these packages was taken down as well, ESLint explains in a post. The npm login tokens targeted by the malicious code would not provide the attacker with the user’s npm password, but npm nonetheless decided to revoke possibly impacted tokens. Users too have the option to revoke existing tokens and npm advised them to do so.