Home Codacy News ESLint compromised: security

ESLint compromised: security

Author

Date

Category

On July 12th, 2018, an issue was created in the eslint-scope repository. After some analysis, it is clear that this is a more significant issue than what was initially considered.

TLDR;

ESLint plugins may have compromised the content of your .npmrc file. If using the affected packages, you must revoke any credentials available through there.

If you’re using  ESLint through Codacy, there is nothing you need to do, as Codacy does not allow tools to access the internet during execution.

The Issue

The attacker published “malicious versions of the eslint-scope and eslint-config-eslint packages to the npm registry. On installation, the malicious packages downloaded and executed code from pastebin.com which sent the contents of the user’s .npmrc file to the attacker. An .npmrc file typically contains access tokens for publishing to npm.” You can see more details on the postmortem.

ESLint Affected Packages

  • eslint-scope@3.7
  • eslint-config-eslint@5.0

Resources

Wrapping it up

If you made it this far, why not thank Andrej Mihajlov for his finding. You can also follow him on Twitter.


Codacy is used by thousands of developers to analyze billions of lines of code every day!

Getting started is easy – and free! Just use your  GitHub, Bitbucket or Google account to sign up.

GET STARTED

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Recent posts

February’s Product Update: 1-Click Autofixes for GitHub, New People Experience and more 🚀

Welcome to our monthly product update! We’ve been working hard over the past month and have some exciting updates for you below. 🥳 We want...

Interview with Daniel Pfeiffer, CTO at Firstbird

We had a very nice talk with Daniel Pfeiffer, CTO at Firstbird; it was an informal conversation in which we looked to understand the reasons why...

Add a Custom Host to Kubernetes

I’ve been working with different MicroK8s instances a lot in the last months. Microk8s, from my point of view, it’s the absolutely perfect abstraction for deploying...

Deciphering Javascript Checkers: Know Why and When You Might Use Them

We’re all familiar with rules of grammar, which aid in communication by letting us know when to use a comma, how to spell a...

Interview with Felipe Adorno, CTO at Monkey Exchange

We have talked with Felipe Adorno, CTO at Monkey Exchange, to better understand what made the company opt for an automated code review tool...