Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB2NTUtcjZqMy13cDk0
Malicious Package in eslint-config-eslint
Version 5.0.2 of eslint-config-eslint
was published without authorization and was found to contain malicious code. This code would read the users .npmrc
file and send any found authentication tokens to a remote server.
Recommendation
The best course of action if you found this package installed in your environment is to revoke all your npm tokens. You can find instructions on how to do that here. https://docs.npmjs.com/getting-started/working_with_tokens#how-to-revoke-tokens
Users may consider downgrading to version 5.0.1
Permalink: https://github.com/advisories/GHSA-pv55-r6j3-wp94JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB2NTUtcjZqMy13cDk0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: 9 months ago
Identifiers: GHSA-pv55-r6j3-wp94
References: Blast Radius: 0.0
Affected Packages
npm:eslint-config-eslint
Dependent packages: 392Dependent repositories: 26,091
Downloads: 45,622 last month
Affected Version Ranges: = 5.0.2
No known fixed version
All affected versions: