Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh4eGYtcTN3OS00eGd3
Malicious Package in eslint-scope
Version 3.7.2 of eslint-scope
was published without authorization and was found to contain malicious code. This code would read the users .npmrc
file and send any found authentication tokens to 2 remote servers.
Recommendation
The best course of action if you found this package installed in your environment is to revoke all your npm tokens. You can find instructions on how to do that here. https://docs.npmjs.com/getting-started/working_with_tokens#how-to-revoke-tokens
Permalink: https://github.com/advisories/GHSA-hxxf-q3w9-4xgwJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh4eGYtcTN3OS00eGd3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 6 years ago
Updated: over 1 year ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-hxxf-q3w9-4xgw
References:
- https://github.com/eslint/eslint-scope/issues/39
- https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
- https://github.com/advisories/GHSA-hxxf-q3w9-4xgw
- https://www.npmjs.com/advisories/673
- https://snyk.io/vuln/SNYK-JS-ESLINTSCOPE-11120
Blast Radius: 56.4
Affected Packages
npm:eslint-scope
Dependent packages: 1,686Dependent repositories: 1,592,057
Downloads: 328,598,421 last month
Affected Version Ranges: = 3.7.2
Fixed in: 3.7.3
All affected versions:
All unaffected versions: 3.7.0, 3.7.1, 3.7.3, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 5.0.0, 5.1.0, 5.1.1, 6.0.0, 7.0.0, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.2.2, 8.0.0, 8.0.1, 8.0.2, 8.1.0, 8.2.0
npm:eslint-config-eslint
Dependent packages: 392Dependent repositories: 26,091
Downloads: 120,801 last month
Affected Version Ranges: = 5.0.2
Fixed in: 6.0.0
All affected versions:
All unaffected versions: 1.0.0, 1.0.1, 2.0.0, 3.0.0, 4.0.0, 5.0.0, 5.0.1, 6.0.0, 7.0.0, 8.0.0, 9.0.0, 10.0.0, 11.0.0