Security Affairs
Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Crooks deployed malicious ESLint packages that steal software registry login tokens

Hackers compromised the npm account of an ESLint maintainer and published malicious versions of eslint packages to the npm registry. Crooks compromised an ESLint maintainer’s account last week and uploaded malicious packages that attempted to steal login tokens from the npm software registry. npm is the package manager for JavaScript and the world’s largest software registry. ESLint is open […]

python 2

Hackers compromised the npm account of an ESLint maintainer and published malicious versions of eslint packages to the npm registry.

Crooks compromised an ESLint maintainer’s account last week and uploaded malicious packages that attempted to steal login tokens from the npm software registry. npm is the package manager for JavaScript and the world’s largest software registry.

ESLint is open source “pluggable and configurable linter tool” for identifying and reporting on patterns in JavaScript, it was created by Nicholas Zakas.

The affected packages hosted on npm are:

  • eslint-scope version 3.7.2 o, a scope analysis library used by older versions of eslint, and the latest versions of babel-eslint and webpack.
  • eslint-config-eslint version 5.0.2 is a configuration used internally by the ESLint team.

Once the tainted packages are installed, they will download and execute code from pastebin.com that was designed to grab the content of the user’s .npmrc file and send the information to the attacker. This file usually contains access tokens for publishing to npm.

“The attacker modified package.json in both eslint-escope@3.7.2 and eslint-config-eslint@5.0.2, adding a postinstall script to run build.js. This script downloads another script from Pastebin and evals its contents.” wrote Henry Zhu about the eslint-scope attack.

“The script extracts the _authToken from a user’s .npmrc and sends it to histats and statcounter inside the Referer header,” 

The packages were quickly removed once they were discovered by maintainers and the content on pastebin.com was taken down.

“On July 12th, 2018, an attacker compromised the npm account of an ESLint maintainer and published malicious versions of the eslint-scope and eslint-config-eslint packages to the npm registry. On installation, the malicious packages downloaded and executed code from pastebin.com which sent the contents of the user’s .npmrc file to the attacker.” reads the security advisory published by ESLint.

An .npmrc file typically contains access tokens for publishing to npm. The malicious package versions are eslint-scope@3.7.2 and eslint-config-eslint@5.0.2, both of which have been unpublished from npm. The pastebin.com paste linked in these packages has also been taken down.”

ESLint packages

The npm login tokens grabbed by malicious packages don’t include user’s npm password, but npm opted to revoke possibly impacted tokens. Users can revoke existing tokens as suggested by npm.

“We have now invalidated all npm tokens issued before 2018-07-12 12:30 UTC, eliminating the possibility of stolen tokens being used maliciously. This is the final immediate operational action we expect to take today.” reads the npm’s incident report

Further investigation allowed the maintainers to determine that the account was compromised because the ower had reused the same password on multiple accounts and also didn’t enabled two-factor authentication on their npm account.

ESLint released eslint-scope version 3.7.3 and eslint-config-eslint version 5.0.3.

Users who installed the malicious packages need to update npm.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – ESLint packages, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]