1

Codacy Product Showcase: April 2024

Group 370
2

Codacy Security Adds Thousands of New SAST Rules With Semgrep Integration

Group 370
3

ESLint compromised: security

In this article:
Subscribe to our blog:

On July 12th, 2018, an issue was created in the eslint-scope repository. After some analysis, it is clear that this is a more significant issue than what was initially considered.

TLDR;

ESLint plugins may have compromised the content of your .npmrc file. If using the affected packages, you must revoke any credentials available through there.

If you’re using  ESLint through Codacy, there is nothing you need to do, as Codacy does not allow tools to access the internet during execution.

The Issue

The attacker published “malicious versions of the eslint-scope and eslint-config-eslint packages to the npm registry. On installation, the malicious packages downloaded and executed code from pastebin.com which sent the contents of the user’s .npmrc file to the attacker. An .npmrc file typically contains access tokens for publishing to npm.” You can see more details on the postmortem.

ESLint Affected Packages

  • eslint-scope@3.7
  • eslint-config-eslint@5.0

Resources

Wrapping it up

If you made it this far, why not thank Andrej Mihajlov for his finding. You can also follow him on Twitter.


Codacy is used by thousands of developers to analyze billions of lines of code every day!

Getting started is easy – and free! Just use your  GitHub, Bitbucket or Google account to sign up.

GET STARTED

RELATED
BLOG POSTS

Code Quality: Shared Dashboard
Following the release of our new product workflow we continue working towards helping organisations effortlessly standardise code quality. A shared...
Codacy Integrates With GitLab Enterprise
As we see more and more enterprises adopting GitLab enterprise, we are happy to announce today that Codacy’s Enterprise version now integrates with...
How To Create The Perfect Code Review Checklist
Nobody’s perfect — not even the world’s most experienced programmer. Everyone who writes code makes mistakes, and it’s important to catch them before...

Automate code
reviews on your commits and pull request

Group 13