Compromised JavaScript Package Caught Stealing npm Credentials

Posted on Jul 13, 2018

Compromised JavaScript Package Caught Stealing npm Credentials

A hacker has gained access to a developer’s npm account and injected malicious code into a popular JavaScript library, code that was designed to steal the npm credentials of users who utilize the poisoned package inside their projects. The JavaScript (npm) package that got compromised is called eslint-scope, a sub-module of the more famous ESLint, a JavaScript code analysis toolkit. The hack took place on the night between July 11 and 12, according to the results of a preliminary investigation posted on GitHub a few hours ago.

Partington believes the hacker used the newly-generated npm token to authenticate and push a new version of the eslint-scope library on the npm repository of JavaScript packages. The malicious version was eslint-scope 3.7.2, which the maintainers of the npm repository have recently taken offline.

Source: bleepingcomputer.com