eslint-scope npm malware stole tokens

The ESLint compromise started with a maintainer account. On July 12, 2018, an attacker used that access to publish malicious eslint-scope and eslint-config-eslint releases. The packages were developer tooling, so the first systems exposed were the machines and CI jobs that build other software.

The code searched for .npmrc files and npm authentication tokens. It did not need a kernel exploit or a browser bug. It needed the registry to accept a package from a trusted publisher, then it used normal installation to reach credentials that could publish the next package.

That made the package a credential-harvesting bridge. The attacker was not trying to monetize ESLint users directly; the more dangerous outcome was a chain of newly stolen npm tokens, each one able to publish more malicious packages under trusted names.

ESLint's postmortem and npm's response centered on token revocation and containment. The important impact was the chain reaction that was possible but interrupted: one stolen maintainer account could have become many stolen publisher tokens.

Motive

Credential Theft

Attribution

Person

Cause

Compromised Account Credentials

Transitive

No

Actor

Individual Hacker

User Impact

4500

• Locationmirror: github.com/eslint/eslint-scope/issues/39
• Locationmirror: eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
• Locationmirror: snyk.io/vuln/npm:eslint-scope:20180712

• Plot to steal cryptocurrency foiled by the npm security teamblog.npmjs.org