Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh4eGYtcTN3OS00eGd3

Malicious Package in eslint-scope

Version 3.7.2 of eslint-scope was published without authorization and was found to contain malicious code. This code would read the users .npmrc file and send any found authentication tokens to 2 remote servers.

Recommendation

The best course of action if you found this package installed in your environment is to revoke all your npm tokens. You can find instructions on how to do that here. https://docs.npmjs.com/getting-started/working_with_tokens#how-to-revoke-tokens

Permalink: https://github.com/advisories/GHSA-hxxf-q3w9-4xgw
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh4eGYtcTN3OS00eGd3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 6 years ago
Updated: over 1 year ago

CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Identifiers: GHSA-hxxf-q3w9-4xgw
References:

Repository: https://github.com/eslint/eslint-scope
Blast Radius: 56.4

Affected Packages

npm:eslint-scope

Dependent packages: 1,686
Dependent repositories: 1,592,057
Downloads: 315,004,866 last month
Affected Version Ranges: = 3.7.2
Fixed in: 3.7.3
All affected versions:
All unaffected versions: 3.7.0, 3.7.1, 3.7.3, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 5.0.0, 5.1.0, 5.1.1, 6.0.0, 7.0.0, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.2.2, 8.0.0, 8.0.1, 8.0.2, 8.1.0, 8.2.0

npm:eslint-config-eslint

Dependent packages: 392
Dependent repositories: 26,091
Downloads: 110,048 last month
Affected Version Ranges: = 5.0.2
Fixed in: 6.0.0
All affected versions:
All unaffected versions: 1.0.0, 1.0.1, 2.0.0, 3.0.0, 4.0.0, 5.0.0, 5.0.1, 6.0.0, 7.0.0, 8.0.0, 9.0.0, 10.0.0, 11.0.0