Compromised JavaScript Package Caught Stealing npm Credentials

A hacker has gained access to a developer’s npm account and injected malicious code into a popular JavaScript library, code that was designed to steal the npm credentials of users who utilize the poisoned package inside their projects.

The JavaScript (npm) package that got compromised is called eslint-scope, a sub-module of the more famous ESLint, a JavaScript code analysis toolkit.

Hacker gained access to a developer’s npm account

The hack took place on the night between July 11 and 12, according to the results of a preliminary investigation posted on GitHub a few hours ago.

“One of our maintainers did observe that a new npm token was generated overnight (said maintainer was asleep),” said Kevin Partington, ESLint project member.

Partington believes the hacker used the newly-generated npm token to authenticate and push a new version of the eslint-scope library on the npm repository of JavaScript packages.

The malicious version was eslint-scope 3.7.2, which the maintainers of the npm repository have recently taken offline.

Malicious code steals npm credentials

“The published code seems to steal npm credentials, so we do recommend that anyone who might have installed this version change their npm password and (if possible) revoke their npm tokens and generate new ones,” Partington recommended for developers who used esling-scope.

In an email to Bleeping Computer, npm CTO C.J. Silverio put the incident into perspective.

“We determined that access tokens for approximately 4,500 accounts could have been obtained before we acted to close this vulnerability. However, we have not found evidence that any tokens were actually obtained or used to access any account during this window,” Silverio said.

“As a precautionary measure, npm has revoked every access token that had been created prior to 2:30 pm UTC (7:30 am California time) today. This measure requires every registered npm user to re-authenticate to and generate new access tokens, but it ensures that there is no way for this morning’s vulnerability to persist or spread. We are additionally conducting a full forensic analysis to confirm that no other accounts were accessed or used to publish unauthorized code.

“This morning’s incident did not happen because of an breach, but because of a breach elsewhere that exposed a publisher’s npm credentials. To mitigate this risk, we encourage every user to enable two-factor authentication, with which this morning’s incident would have been impossible,” Silverio added.

The developer who had his account compromise has changed his npm password, enabled two-factor authentication, and generated new tokens to access his existing npm libraries.

The incident is of great importance because the stolen npm credentials can be used in a similar manner to what happened now. The hacker can use any of the stolen npm credentials to poison other JavaScript libraries that are made available via npm — a.k.a. the Node Package Manager, the semi-official package manager for the JavaScript ecosystem.

Similar incidents have happened in the past year

This is the third incident in the past year when a hacker has inserted malicious code in an npm package.

The first such incident happened in August 2017 when the npm team removed 38 JavaScript npm packages that were caught stealing environment variables from infected projects.

In May 2018, someone tried to hide a backdoor in another popular npm package named getcookies.

Similar incidents with malware ending up in package repositories have happened with Python’s PyPI [1, 2], Docker Hub, Arch Linux AUR, and the Ubuntu Store.