Compromised JavaScript Package Caught Stealing npm Credentials

npm logo

A hacker has gained access to a developer’s npm account and injected malicious code into a popular JavaScript library, code that was designed to steal the npm credentials of users who utilize the poisoned package inside their projects.

The JavaScript (npm) package that got compromised is called eslint-scope, a sub-module of the more famous ESLint, a JavaScript code analysis toolkit.

Hacker gained access to a developer’s npm account

The hack took place on the night between July 11 and 12, according to the results of a preliminary investigation posted on GitHub a few hours ago.

“One of our maintainers did observe that a new npm token was generated overnight (said maintainer was asleep),” said Kevin Partington, ESLint project member.

Partington believes the hacker used the newly-generated npm token to authenticate and push a new version of the eslint-scope library on the npm repository of JavaScript packages.

The malicious version was eslint-scope 3.7.2, which the maintainers of the npm repository have recently taken offline.

Malicious code in compromised package steals npm credentials

“The published code seems to steal npm credentials, so we do recommend that anyone who might have installed this version change their npm password and (if possible) revoke their npm tokens and generate new ones,” Partington said.

The developer who had his account compromise has changed his npm password, enabled two-factor authentication, and generated new tokens to access his existing npm libraries.

The incident is of great importance because the stolen npm credentials can be used in a similar manner to what happened now. The hacker can use any of the stolen npm credentials to poison other JavaScript libraries that are made available via npm — a.k.a. the Node Package Manager, the semi-official package manager for the JavaScript ecosystem.

Similar incidents have happened in the past year

This is the third incident in the past year when a hacker has inserted malicious code in an npm package.

The first such incident happened in August 2017 when the npm team removed 38 JavaScript npm packages that were caught stealing environment variables from infected projects.

In May 2018, someone tried to hide a backdoor in another popular npm package named getcookies.

Similar incidents with malware ending up in package repositories have happened with Python’s PyPI [1, 2], Docker Hub, Arch Linux AUR, and the Ubuntu Store.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top