ESLint compromised: security

Latest

Automated Code Review Benefits: Webinar

Our sales team member Matt Kohler recently gave a presentation on code review benefits with his "Benefits of Automated Code Review" webinar....

Codacy at DevOps Jenkins World

Gain key insight on the state of DevOps and come together with the global Jenkins community... The Codacy team...

Codacy announces raising $7.7M in funding

Today we’re excited to make a funding announcement.  We have raised $7.7M in funding.  Join Capital along with existing investors EQT Ventures, Armilar Venture...

DNS problems scaling with Kubernetes

Here at Codacy, everyone has been working really hard in the last few months to move all of our services to Kubernetes. And it...

How to write legible QA tests

Our quality-minded software engineer shares best practices for writing legible QA tests.

Scala: Learn to Walk Before You Fly (Part 2)

Part 2 - Building Immutability Welcome back to Part 2! In Part 1 we saw Scala as a language that facilitates and drives you towards...

On July 12th, 2018, an issue was created in the eslint-scope repository. After some analysis, it is clear that this is a more significant issue than what was initially considered.

TLDR;

ESLint plugins may have compromised the content of your .npmrc file. If using the affected packages, you must revoke any credentials available through there.

If you’re using  ESLint through Codacy, there is nothing you need to do, as Codacy does not allow tools to access the internet during execution.

The Issue

The attacker published “malicious versions of the eslint-scope and eslint-config-eslint packages to the npm registry. On installation, the malicious packages downloaded and executed code from pastebin.com which sent the contents of the user’s .npmrc file to the attacker. An .npmrc file typically contains access tokens for publishing to npm.” You can see more details on the postmortem.

ESLint Affected Packages

  • eslint-scope@3.7
  • eslint-config-eslint@5.0

Resources

Wrapping it up

If you made it this far, why not thank Andrej Mihajlov for his finding. You can also follow him on Twitter.


Codacy is used by thousands of developers to analyze billions of lines of code every day!

Getting started is easy – and free! Just use your  GitHub, Bitbucket or Google account to sign up.

GET STARTED

Follow and share Codacy
Follow and share Codacy