Compromised JavaScript package attempted to scoop up NPM users’ credentials

Calamity avoided due to poorly written malware

Users of the NPM JavaScript package manager have been urged to enable two-factor authentication (2FA) after it was discovered that a malicious alteration to a popular open-source utility was attempting to steal developers’ credentials.

The security advice follows an announcement last week that an attacker compromised the NPM account of an ESLint maintainer and published malicious versions of the eslint-scope and eslint-config-eslint packages to the NPM registry.

In a post-mortem of events, ESLint said that, once installed, the malicious packages downloaded and executed code from pastebin.com, which sent the user’s NPM access tokens to the attacker.

Suspicious package

ESLint is a popular JavaScript linting utility that allows users to find problematic patterns or code that doesn’t adhere to style guidelines. The eslint-scope analysis package has more than two million weekly downloads.

According to ESLint, the maintainer whose account was compromised had reused their NPM password on “several other sites and did not have 2FA enabled on their NPM account”.

The oversight meant that anyone using the malicious package had inadvertently injected malware into their own software product. Further down the chain, anyone using this compromised software also ran the risk of installing the malware on their own system.

The domino effect

Fortunately, it transpired that the credential-sniffing malware was not built correctly, as it tried to execute code before it had finished fetching it. This greatly reduced its ability to spread.

The issue was quickly resolved after one developer spotted an exception and flagged the malware to the ESLint open-source community.

NPM has revoked all access tokens issued before 12:30 UTC on July 12. As a result, any access tokens compromised by this attack should no longer be useable.

“We, the ESLint team, are sorry for allowing this to happen,” the organization said in a statement last week. “We hope that other package maintainers can learn from our mistakes and improve the security of the whole NPM ecosystem.”

In the wake of the attack, Mathias Bynens, developer advocate on the Google V8 team, said: “If you have an NPM account, enable two-factor authentication if you haven’t already.

“2FA is an additional line of defense against attacks such as the recently compromised eslint-scope which steals NPM authentication tokens.”