Hacker gained access to a developer’s npm account
The hack took place on the night between July 11 and 12, according to the results of a preliminary investigation posted on GitHub a few hours ago.
“One of our maintainers did observe that a new npm token was generated overnight (said maintainer was asleep),” said Kevin Partington, ESLint project member.
The malicious version was eslint-scope 3.7.2, which the maintainers of the npm repository have recently taken offline.
Malicious code steals npm credentials
“The published code seems to steal npm credentials, so we do recommend that anyone who might have installed this version change their npm password and (if possible) revoke their npm tokens and generate new ones,” Partington recommended for developers who used esling-scope.
In an email to Bleeping Computer, npm CTO C.J. Silverio put the incident into perspective.
“We determined that access tokens for approximately 4,500 accounts could have been obtained before we acted to close this vulnerability. However, we have not found evidence that any tokens were actually obtained or used to access any npmjs.com account during this window,” Silverio said.
“As a precautionary measure, npm has revoked every access token that had been created prior to 2:30 pm UTC (7:30 am California time) today. This measure requires every registered npm user to re-authenticate to npmjs.com and generate new access tokens, but it ensures that there is no way for this morning’s vulnerability to persist or spread. We are additionally conducting a full forensic analysis to confirm that no other accounts were accessed or used to publish unauthorized code.
“This morning’s incident did not happen because of an npmjs.com breach, but because of a breach elsewhere that exposed a publisher’s npm credentials. To mitigate this risk, we encourage every npmjs.com user to enable two-factor authentication, with which this morning’s incident would have been impossible,” Silverio added.
The developer who had his account compromise has changed his npm password, enabled two-factor authentication, and generated new tokens to access his existing npm libraries.
Similar incidents have happened in the past year
This is the third incident in the past year when a hacker has inserted malicious code in an npm package.
In May 2018, someone tried to hide a backdoor in another popular npm package named getcookies.
Similar incidents with malware ending up in package repositories have happened with Python’s PyPI [1, 2], Docker Hub, Arch Linux AUR, and the Ubuntu Store.