GMS-2018-34: Malicious Package

July 12, 2018 (updated September 14, 2021)

of eslint-scope was published without authorization and was found to contain malicious code. This code would read the users .npmrc file and send any found authentication tokens to 2 remote servers. The best course of action if you found this package installed in your environment is to revoke all your npm tokens. You can find instructions on how to do that here. https://docs.npmjs.com/getting-started/working_with_tokens#how-to-revoke-tokens

References

eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
github.com/advisories/GHSA-hxxf-q3w9-4xgw
github.com/eslint/eslint-scope/issues/39
snyk.io/vuln/SNYK-JS-ESLINTSCOPE-11120
www.npmjs.com/advisories/673

Code Behaviors & Features

Detect and mitigate GMS-2018-34 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →