Skip to content

Malicious Package in eslint-config-eslint

Critical severity GitHub Reviewed Published Sep 1, 2020 to the GitHub Advisory Database • Updated Jul 27, 2023

Package

npm eslint-config-eslint (npm)

Affected versions

= 5.0.2

Patched versions

None

Description

Version 5.0.2 of eslint-config-eslint was published without authorization and was found to contain malicious code. This code would read the users .npmrc file and send any found authentication tokens to a remote server.

Recommendation

The best course of action if you found this package installed in your environment is to revoke all your npm tokens. You can find instructions on how to do that here. https://docs.npmjs.com/getting-started/working_with_tokens#how-to-revoke-tokens

Users may consider downgrading to version 5.0.1

References

Reviewed Aug 31, 2020
Published to the GitHub Advisory Database Sep 1, 2020
Last updated Jul 27, 2023

Severity

Critical

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-pv55-r6j3-wp94

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.