Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB2NTUtcjZqMy13cDk0

Malicious Package in eslint-config-eslint

Version 5.0.2 of eslint-config-eslint was published without authorization and was found to contain malicious code. This code would read the users .npmrc file and send any found authentication tokens to a remote server.

Recommendation

The best course of action if you found this package installed in your environment is to revoke all your npm tokens. You can find instructions on how to do that here. https://docs.npmjs.com/getting-started/working_with_tokens#how-to-revoke-tokens

Users may consider downgrading to version 5.0.1

Permalink: https://github.com/advisories/GHSA-pv55-r6j3-wp94
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB2NTUtcjZqMy13cDk0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: 9 months ago

Identifiers: GHSA-pv55-r6j3-wp94
References:

Blast Radius: 0.0

Affected Packages

npm:eslint-config-eslint

Dependent packages: 392
Dependent repositories: 26,091
Downloads: 45,622 last month
Affected Version Ranges: = 5.0.2
No known fixed version
All affected versions: