eslint-scope

Malicious package

Severity: critical

Overview

Version 3.7.2 of eslint-scope was published without authorization and was found to contain malicious code. This code would read the users .npmrc file and send any found authentication tokens to 2 remote servers.

Remediation

The best course of action if you found this package installed in your environment is to revoke all your npm tokens. You can find instructions on how to do that here. https://docs.npmjs.com/getting-started/working_with_tokens#how-to-revoke-tokens

Vulnerable versions

3.7.2
a month ago

Unaffected versions

3.7.0
a year ago
3.7.1
a year ago
4.0.0-alpha.0
4 months ago
4.0.0-rc.0
2 months ago
4.0.0
2 months ago
3.7.3
a month ago

Advisory timeline

  1. published

    Advisory published
    Jul 12th, 2018
  2. reported

    Jul 12th, 2018