Hacker gained access to a developer’s npm account
The hack took place on the night between July 11 and 12, according to the results of a preliminary investigation posted on GitHub a few hours ago.
“One of our maintainers did observe that a new npm token was generated overnight (said maintainer was asleep),” said Kevin Partington, ESLint project member.
The malicious version was eslint-scope 3.7.2, which the maintainers of the npm repository have recently taken offline.
Malicious code in compromised package steals npm credentials
“The published code seems to steal npm credentials, so we do recommend that anyone who might have installed this version change their npm password and (if possible) revoke their npm tokens and generate new ones,” Partington said.
The developer who had his account compromise has changed his npm password, enabled two-factor authentication, and generated new tokens to access his existing npm libraries.
Similar incidents have happened in the past year
This is the third incident in the past year when a hacker has inserted malicious code in an npm package.
In May 2018, someone tried to hide a backdoor in another popular npm package named getcookies.