Sunday, December 21, 2025
Latest:

Threatshub.org sponsored-Post

The Register

Now Pushing Malware: NPM package dev logins slurped by hacked tool popular with coders

TH Author

Updated An unfortunate chain reaction was averted today after miscreants tampered with a widely used JavaScript programming tool to steal other developers’ NPM login tokens.

The open-source utility eslint-scope was altered by hackers so that, when used to analyze source code, it would copy the contents of the user’s ~/.npmrc file to an outside server via HTTPS – that file would include the victim’s NPMjs.org login token.

NPM is the JavaScript world’s package manager for libraries, toolkits, and other code projects. With those tokens in hand, scumbags could have started altering other packages to further collect login tokens, insert malicious code into programs, and so on, possibly initiating a chain reaction of cyber-crime.

Although eslint-scope has more than two million weekly downloads, we’re told only a small number of people were stung by the compromised version, and had their tokens swiped. Tokens issued before 1230 UTC today have been revoked, people should change their NPM passwords and enable two-factor authentication, and an investigation is underway to discover if any NOPM packages have been vandalized via stolen credentials.

Hijacked

Version 3.7.2 of eslint-scope was pushed to NPM by miscreants who gained control of a maintainer’s NPM account for the software: that’s the poisoned version that harvested people’s NPM login tokens. It was taken offline within two hours of going live.

The credential thieves could have used the tokens to gain access to other NPM-managed projects that could, again, be used to spread more malware. NPM users download billions of packages every week.

In other words, someone lost control their NPM account to an attacker, who then implanted malicious code in a popular tool maintained by that someone to gain access to NPM accounts to potentially infect further packages.

Headshot of Trojan horse

This typosquatting attack on npm went undetected for 2 weeks

READ MORE

Understandably, NPM has already invalidated tokens issued before 2018-07-12 1230 UTC in an attempt to prevent the further spread of evil code. Unfortunately, the damage may have already been done. NPM said “a small number” of developers, and potentially their projects, were affected by this.

“We believe the vector for this compromise was stolen credentials from one of the authorized publishers of the eslint-scope package,” NPM said in a statement on its website.

“We recommend all package authors enable two-factor auth to protect their accounts from this kind of attack.”

The hijack is believed to have kicked off some time last night, with an eslint-scope maintainer’s account receiving a new unexpected NPM token overnight, tipping off coders to a possible security breach.

“One of our maintainers did observe that a new npm token was generated overnight (said maintainer was asleep),” explained eslint dev Kevin Partington.

Anyone who used the infected version of eslint-scope has, by now, had their NPM tokens revoked, so that part of the attack has been mitigated. They should also delete the software, and install a known good version.

NPM said it will conduct a further audit of all of its managed projects to determine just how bad the breach really was. ®

Updated to add

We understand some 4,500 login tokens were potentially swiped by the rogue JavaScript utility, although there has been no sign of any malicious activity beyond the compromise of eslint-scope. NPM’s CTO CJ Silverio dropped us a note to explain:

Sponsored: Minds Mastering Machines – Call for papers now open

READ MORE HERE