eslint compromised, reset your npm tokens

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

eslint compromised, reset your npm tokens

Kunal Mehta
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

If you ran eslint (JavaScript codestyle linter) recently (it was only
compromised for an hour), your npm token might have been compromised
(~/.npmrc).

To identify if you were compromised, run:
$ locate eslint-scope | grep -i "eslint-scope/package.json" | xargs jq
.version

And if any of those show "3.7.2" then you have the bad package version
installed.

Upstream recommends that you 1) reset your npm token and 2) enable 2fa
for npm - both can be done from the npm website. You should probably
also check to make sure none of your packages were compromised.

There are some more details on the bug report[1].

[1]
https://github.com/eslint/eslint-scope/issues/39#issuecomment-404533026

- -- Legoktm
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+h6fmkHn9DUCyl1jUvyOe+23/KIFAltHdC0ACgkQUvyOe+23
/KJpBg//WXBSPKhjmZd43KrHu07NsasWvrU/SAOeBtKjdaLTA3Ry5N+Fdh7LUFFk
oEm1rnz6AnfW0LPIbiDn66FTJ7jF1X6sV1GxpKhFQyYs6SL7LL4wT/XplRSwUTTD
hHccwuqPueYpD208w0zRcWVO7wpU7Lm+8xFrVwjhK7Q1AF6GzfwtmHy22fY05doM
NzXvYgB9urC1fYPQsEO6IhgNH7DT+ZtYOiHnRk2vTgr3fkIjKh4bNEdrnaQ9TOH5
junlio+07llaF/gB/JWycctuy2z2T/zENLPwhy9ZK35DgikGaMsDU7mA6iGgoxhc
TQPDnn3Veel7FBXMPCrxYMDgcBCEqENdOfQcbEl9lXDocr7UjQF/0GsvhFncMoIY
GCfdSThYV6x/U9StyBdxerbX4fCddPgd2RvKjVgDmOdsOVGCU0/iKyhgrBh3AbfP
MNf+AzYCUGvnzfDsDIF+CvJhcddSHX44N5TGLubVwIMIHsvBevC+7D9uHGaLqkem
UR8xa489SZ8LOnsL8TgtRaGXNaWqeJX7tIGPtiS5s2bzhRDr8q062VOd3J/Qw3E0
AQSixX+dQezw282RHYpCk3xuRgbN1oKvCEbOyDB97sbo19f+W2k0CmPVxIaDkr50
D729WS+6XvozYaw0z/R1aOWJTJLTe9ZUO/Zi9qhDfQtLVzTz8M8=
=WybD
-----END PGP SIGNATURE-----

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: eslint compromised, reset your npm tokens

C. Scott Ananian
Further eslint-related packages seem to be infected:
https://github.com/eslint/eslint/issues/10600

All WM devs with publish access to npm should be using 2FA, which would
mitigate this issue.

All WM node packages should also be using npm shrinkwrap files; we should
probably audit that.
 --scott

On Thu, Jul 12, 2018 at 11:30 AM, Kunal Mehta <[hidden email]>
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> If you ran eslint (JavaScript codestyle linter) recently (it was only
> compromised for an hour), your npm token might have been compromised
> (~/.npmrc).
>
> To identify if you were compromised, run:
> $ locate eslint-scope | grep -i "eslint-scope/package.json" | xargs jq
> .version
>
> And if any of those show "3.7.2" then you have the bad package version
> installed.
>
> Upstream recommends that you 1) reset your npm token and 2) enable 2fa
> for npm - both can be done from the npm website. You should probably
> also check to make sure none of your packages were compromised.
>
> There are some more details on the bug report[1].
>
> [1]
> https://github.com/eslint/eslint-scope/issues/39#issuecomment-404533026
>
> - -- Legoktm
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEE+h6fmkHn9DUCyl1jUvyOe+23/KIFAltHdC0ACgkQUvyOe+23
> /KJpBg//WXBSPKhjmZd43KrHu07NsasWvrU/SAOeBtKjdaLTA3Ry5N+Fdh7LUFFk
> oEm1rnz6AnfW0LPIbiDn66FTJ7jF1X6sV1GxpKhFQyYs6SL7LL4wT/XplRSwUTTD
> hHccwuqPueYpD208w0zRcWVO7wpU7Lm+8xFrVwjhK7Q1AF6GzfwtmHy22fY05doM
> NzXvYgB9urC1fYPQsEO6IhgNH7DT+ZtYOiHnRk2vTgr3fkIjKh4bNEdrnaQ9TOH5
> junlio+07llaF/gB/JWycctuy2z2T/zENLPwhy9ZK35DgikGaMsDU7mA6iGgoxhc
> TQPDnn3Veel7FBXMPCrxYMDgcBCEqENdOfQcbEl9lXDocr7UjQF/0GsvhFncMoIY
> GCfdSThYV6x/U9StyBdxerbX4fCddPgd2RvKjVgDmOdsOVGCU0/iKyhgrBh3AbfP
> MNf+AzYCUGvnzfDsDIF+CvJhcddSHX44N5TGLubVwIMIHsvBevC+7D9uHGaLqkem
> UR8xa489SZ8LOnsL8TgtRaGXNaWqeJX7tIGPtiS5s2bzhRDr8q062VOd3J/Qw3E0
> AQSixX+dQezw282RHYpCk3xuRgbN1oKvCEbOyDB97sbo19f+W2k0CmPVxIaDkr50
> D729WS+6XvozYaw0z/R1aOWJTJLTe9ZUO/Zi9qhDfQtLVzTz8M8=
> =WybD
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l




--
(http://cscott.net)
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: eslint compromised, reset your npm tokens

David Barratt
It's sad to see how the npm team could have taken steps to mitigate this
situation before hand:
https://github.com/npm/npm/pull/4016

Important lesson for everyone (including myself).

On Thu, Jul 12, 2018 at 11:42 AM C. Scott Ananian <[hidden email]>
wrote:

> Further eslint-related packages seem to be infected:
> https://github.com/eslint/eslint/issues/10600
>
> All WM devs with publish access to npm should be using 2FA, which would
> mitigate this issue.
>
> All WM node packages should also be using npm shrinkwrap files; we should
> probably audit that.
>  --scott
>
> On Thu, Jul 12, 2018 at 11:30 AM, Kunal Mehta <[hidden email]>
> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > Hi,
> >
> > If you ran eslint (JavaScript codestyle linter) recently (it was only
> > compromised for an hour), your npm token might have been compromised
> > (~/.npmrc).
> >
> > To identify if you were compromised, run:
> > $ locate eslint-scope | grep -i "eslint-scope/package.json" | xargs jq
> > .version
> >
> > And if any of those show "3.7.2" then you have the bad package version
> > installed.
> >
> > Upstream recommends that you 1) reset your npm token and 2) enable 2fa
> > for npm - both can be done from the npm website. You should probably
> > also check to make sure none of your packages were compromised.
> >
> > There are some more details on the bug report[1].
> >
> > [1]
> > https://github.com/eslint/eslint-scope/issues/39#issuecomment-404533026
> >
> > - -- Legoktm
> > -----BEGIN PGP SIGNATURE-----
> >
> > iQIzBAEBCgAdFiEE+h6fmkHn9DUCyl1jUvyOe+23/KIFAltHdC0ACgkQUvyOe+23
> > /KJpBg//WXBSPKhjmZd43KrHu07NsasWvrU/SAOeBtKjdaLTA3Ry5N+Fdh7LUFFk
> > oEm1rnz6AnfW0LPIbiDn66FTJ7jF1X6sV1GxpKhFQyYs6SL7LL4wT/XplRSwUTTD
> > hHccwuqPueYpD208w0zRcWVO7wpU7Lm+8xFrVwjhK7Q1AF6GzfwtmHy22fY05doM
> > NzXvYgB9urC1fYPQsEO6IhgNH7DT+ZtYOiHnRk2vTgr3fkIjKh4bNEdrnaQ9TOH5
> > junlio+07llaF/gB/JWycctuy2z2T/zENLPwhy9ZK35DgikGaMsDU7mA6iGgoxhc
> > TQPDnn3Veel7FBXMPCrxYMDgcBCEqENdOfQcbEl9lXDocr7UjQF/0GsvhFncMoIY
> > GCfdSThYV6x/U9StyBdxerbX4fCddPgd2RvKjVgDmOdsOVGCU0/iKyhgrBh3AbfP
> > MNf+AzYCUGvnzfDsDIF+CvJhcddSHX44N5TGLubVwIMIHsvBevC+7D9uHGaLqkem
> > UR8xa489SZ8LOnsL8TgtRaGXNaWqeJX7tIGPtiS5s2bzhRDr8q062VOd3J/Qw3E0
> > AQSixX+dQezw282RHYpCk3xuRgbN1oKvCEbOyDB97sbo19f+W2k0CmPVxIaDkr50
> > D729WS+6XvozYaw0z/R1aOWJTJLTe9ZUO/Zi9qhDfQtLVzTz8M8=
> > =WybD
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Wikitech-l mailing list
> > [hidden email]
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
>
>
>
> --
> (http://cscott.net)
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: eslint compromised, reset your npm tokens

Prateek Saxena
> Due to a recent security incident, all user tokens have been invalidated.

https://status.npmjs.org/incidents/dn7c1fgrr7ng

On Fri, Jul 13, 2018 at 1:13 AM, David Barratt <[hidden email]> wrote:

> It's sad to see how the npm team could have taken steps to mitigate this
> situation before hand:
> https://github.com/npm/npm/pull/4016
>
> Important lesson for everyone (including myself).
>
> On Thu, Jul 12, 2018 at 11:42 AM C. Scott Ananian <[hidden email]>
> wrote:
>
>> Further eslint-related packages seem to be infected:
>> https://github.com/eslint/eslint/issues/10600
>>
>> All WM devs with publish access to npm should be using 2FA, which would
>> mitigate this issue.
>>
>> All WM node packages should also be using npm shrinkwrap files; we should
>> probably audit that.
>>  --scott
>>
>> On Thu, Jul 12, 2018 at 11:30 AM, Kunal Mehta <[hidden email]>
>> wrote:
>>
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA512
>> >
>> > Hi,
>> >
>> > If you ran eslint (JavaScript codestyle linter) recently (it was only
>> > compromised for an hour), your npm token might have been compromised
>> > (~/.npmrc).
>> >
>> > To identify if you were compromised, run:
>> > $ locate eslint-scope | grep -i "eslint-scope/package.json" | xargs jq
>> > .version
>> >
>> > And if any of those show "3.7.2" then you have the bad package version
>> > installed.
>> >
>> > Upstream recommends that you 1) reset your npm token and 2) enable 2fa
>> > for npm - both can be done from the npm website. You should probably
>> > also check to make sure none of your packages were compromised.
>> >
>> > There are some more details on the bug report[1].
>> >
>> > [1]
>> > https://github.com/eslint/eslint-scope/issues/39#issuecomment-404533026
>> >
>> > - -- Legoktm
>> > -----BEGIN PGP SIGNATURE-----
>> >
>> > iQIzBAEBCgAdFiEE+h6fmkHn9DUCyl1jUvyOe+23/KIFAltHdC0ACgkQUvyOe+23
>> > /KJpBg//WXBSPKhjmZd43KrHu07NsasWvrU/SAOeBtKjdaLTA3Ry5N+Fdh7LUFFk
>> > oEm1rnz6AnfW0LPIbiDn66FTJ7jF1X6sV1GxpKhFQyYs6SL7LL4wT/XplRSwUTTD
>> > hHccwuqPueYpD208w0zRcWVO7wpU7Lm+8xFrVwjhK7Q1AF6GzfwtmHy22fY05doM
>> > NzXvYgB9urC1fYPQsEO6IhgNH7DT+ZtYOiHnRk2vTgr3fkIjKh4bNEdrnaQ9TOH5
>> > junlio+07llaF/gB/JWycctuy2z2T/zENLPwhy9ZK35DgikGaMsDU7mA6iGgoxhc
>> > TQPDnn3Veel7FBXMPCrxYMDgcBCEqENdOfQcbEl9lXDocr7UjQF/0GsvhFncMoIY
>> > GCfdSThYV6x/U9StyBdxerbX4fCddPgd2RvKjVgDmOdsOVGCU0/iKyhgrBh3AbfP
>> > MNf+AzYCUGvnzfDsDIF+CvJhcddSHX44N5TGLubVwIMIHsvBevC+7D9uHGaLqkem
>> > UR8xa489SZ8LOnsL8TgtRaGXNaWqeJX7tIGPtiS5s2bzhRDr8q062VOd3J/Qw3E0
>> > AQSixX+dQezw282RHYpCk3xuRgbN1oKvCEbOyDB97sbo19f+W2k0CmPVxIaDkr50
>> > D729WS+6XvozYaw0z/R1aOWJTJLTe9ZUO/Zi9qhDfQtLVzTz8M8=
>> > =WybD
>> > -----END PGP SIGNATURE-----
>> >
>> > _______________________________________________
>> > Wikitech-l mailing list
>> > [hidden email]
>> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>>
>>
>>
>>
>> --
>> (http://cscott.net)
>> _______________________________________________
>> Wikitech-l mailing list
>> [hidden email]
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: eslint compromised, reset your npm tokens

Joaquin Oltra Hernandez
The postmortem is interesting:
https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes

Recommendations

> With the hindsight of this incident, we have a few recommendations for npm
> package maintainers and users in the future:
>
>    - Package maintainers and users should avoid reusing the same password
>    across multiple different sites. A password manager like 1Password or
>    LastPass can help with this.
>    - Package maintainers should enable npm two-factor authentication. npm
>    has a guide here.
>    - If you use Lerna, you can follow this issue.
>    - Package maintainers should audit and limit the number of people who
>    have access to publish on npm.
>    - Package maintainers should be careful with using any services that
>    auto-merge dependency upgrades.
>    - Application developers should use a lockfile (package-lock.json or
>    yarn.lock) to prevent the auto-install of new packages.
>
> Related: https://phabricator.wikimedia.org/T179229 Decide whether we want
the package-lock.json to commit or ignore

On Fri, Jul 13, 2018 at 6:07 AM Prateek Saxena <[hidden email]>
wrote:

> > Due to a recent security incident, all user tokens have been invalidated.
>
> https://status.npmjs.org/incidents/dn7c1fgrr7ng
>
> On Fri, Jul 13, 2018 at 1:13 AM, David Barratt <[hidden email]>
> wrote:
> > It's sad to see how the npm team could have taken steps to mitigate this
> > situation before hand:
> > https://github.com/npm/npm/pull/4016
> >
> > Important lesson for everyone (including myself).
> >
> > On Thu, Jul 12, 2018 at 11:42 AM C. Scott Ananian <
> [hidden email]>
> > wrote:
> >
> >> Further eslint-related packages seem to be infected:
> >> https://github.com/eslint/eslint/issues/10600
> >>
> >> All WM devs with publish access to npm should be using 2FA, which would
> >> mitigate this issue.
> >>
> >> All WM node packages should also be using npm shrinkwrap files; we
> should
> >> probably audit that.
> >>  --scott
> >>
> >> On Thu, Jul 12, 2018 at 11:30 AM, Kunal Mehta <[hidden email]>
> >> wrote:
> >>
> >> > -----BEGIN PGP SIGNED MESSAGE-----
> >> > Hash: SHA512
> >> >
> >> > Hi,
> >> >
> >> > If you ran eslint (JavaScript codestyle linter) recently (it was only
> >> > compromised for an hour), your npm token might have been compromised
> >> > (~/.npmrc).
> >> >
> >> > To identify if you were compromised, run:
> >> > $ locate eslint-scope | grep -i "eslint-scope/package.json" | xargs jq
> >> > .version
> >> >
> >> > And if any of those show "3.7.2" then you have the bad package version
> >> > installed.
> >> >
> >> > Upstream recommends that you 1) reset your npm token and 2) enable 2fa
> >> > for npm - both can be done from the npm website. You should probably
> >> > also check to make sure none of your packages were compromised.
> >> >
> >> > There are some more details on the bug report[1].
> >> >
> >> > [1]
> >> >
> https://github.com/eslint/eslint-scope/issues/39#issuecomment-404533026
> >> >
> >> > - -- Legoktm
> >> > -----BEGIN PGP SIGNATURE-----
> >> >
> >> > iQIzBAEBCgAdFiEE+h6fmkHn9DUCyl1jUvyOe+23/KIFAltHdC0ACgkQUvyOe+23
> >> > /KJpBg//WXBSPKhjmZd43KrHu07NsasWvrU/SAOeBtKjdaLTA3Ry5N+Fdh7LUFFk
> >> > oEm1rnz6AnfW0LPIbiDn66FTJ7jF1X6sV1GxpKhFQyYs6SL7LL4wT/XplRSwUTTD
> >> > hHccwuqPueYpD208w0zRcWVO7wpU7Lm+8xFrVwjhK7Q1AF6GzfwtmHy22fY05doM
> >> > NzXvYgB9urC1fYPQsEO6IhgNH7DT+ZtYOiHnRk2vTgr3fkIjKh4bNEdrnaQ9TOH5
> >> > junlio+07llaF/gB/JWycctuy2z2T/zENLPwhy9ZK35DgikGaMsDU7mA6iGgoxhc
> >> > TQPDnn3Veel7FBXMPCrxYMDgcBCEqENdOfQcbEl9lXDocr7UjQF/0GsvhFncMoIY
> >> > GCfdSThYV6x/U9StyBdxerbX4fCddPgd2RvKjVgDmOdsOVGCU0/iKyhgrBh3AbfP
> >> > MNf+AzYCUGvnzfDsDIF+CvJhcddSHX44N5TGLubVwIMIHsvBevC+7D9uHGaLqkem
> >> > UR8xa489SZ8LOnsL8TgtRaGXNaWqeJX7tIGPtiS5s2bzhRDr8q062VOd3J/Qw3E0
> >> > AQSixX+dQezw282RHYpCk3xuRgbN1oKvCEbOyDB97sbo19f+W2k0CmPVxIaDkr50
> >> > D729WS+6XvozYaw0z/R1aOWJTJLTe9ZUO/Zi9qhDfQtLVzTz8M8=
> >> > =WybD
> >> > -----END PGP SIGNATURE-----
> >> >
> >> > _______________________________________________
> >> > Wikitech-l mailing list
> >> > [hidden email]
> >> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> >>
> >>
> >>
> >>
> >> --
> >> (http://cscott.net)
> >> _______________________________________________
> >> Wikitech-l mailing list
> >> [hidden email]
> >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> > _______________________________________________
> > Wikitech-l mailing list
> > [hidden email]
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l