Calamity avoided due to poorly written malware.
The security advice follows an announcement last week that an attacker compromised the NPM account of an ESLint maintainer and published malicious versions of the eslint-scope and eslint-config-eslint packages to the NPM registry.
In a post-mortem of events, ESLint said that, once installed, the malicious packages downloaded and executed code from pastebin.com, which sent the user’s NPM access tokens to the attacker.
According to ESLint, the maintainer whose account was compromised had reused their NPM password on “several other sites and did not have 2FA enabled on their NPM account”.
The oversight meant that anyone using the malicious package had inadvertently injected malware into their own software product. Further down the chain, anyone using this compromised software also ran the risk of installing the malware on their own system.
The domino effect
Fortunately, it transpired that the credential-sniffing malware was not built correctly, as it tried to execute code before it had finished fetching it. This greatly reduced its ability to spread.
The issue was quickly resolved after one developer spotted an exception and flagged the malware to the ESLint open-source community.
NPM has revoked all access tokens issued before 12:30 UTC on July 12. As a result, any access tokens compromised by this attack should no longer be useable.
“We, the ESLint team, are sorry for allowing this to happen,” the organization said in a statement last week. “We hope that other package maintainers can learn from our mistakes and improve the security of the whole NPM ecosystem.”
In the wake of the attack, Mathias Bynens, developer advocate on the Google V8 team, said: “If you have an NPM account, enable two-factor authentication if you haven’t already.
“2FA is an additional line of defense against attacks such as the recently compromised eslint-scope which steals NPM authentication tokens.”