{"UUID":"3ea986e0-f370-4308-a884-20040cd74914","URL":"https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes","ArchiveURL":"https://web.archive.org/web/20260419044416/https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes/","Title":"Malicious Packages Published to npm","StartTime":"2018-07-12T09:49:00Z","EndTime":"2018-07-12T18:42:00Z","Categories":["security"],"Keywords":["npm","eslint","security","supply chain","package","malicious","javascript","2fa"],"Company":"ESLint","Product":"eslint-scope, eslint-config-eslint","SourcePublishedAt":"0001-01-01T00:00:00Z","SourceFetchedAt":"2026-05-04T17:47:12.033539Z","Summary":"On July 12th, 2018, an attacker compromised the npm account of an ESLint maintainer and published malicious packages to the npm registry.","Description":"On July 12th, 2018, an attacker compromised the npm account of an ESLint maintainer. This allowed the attacker to publish malicious versions of `eslint-config-eslint@5.0.2` and `eslint-scope@3.7.2` to the npm registry, starting at 9:49 UTC.\n\nThe malicious packages contained a postinstall script that downloaded and executed code from pastebin.com. This code was designed to exfiltrate the user's `.npmrc` file, which typically holds npm authentication tokens. The `eslint-scope` package is a dependency for several popular projects, including older ESLint versions and current Babel-ESLint and Webpack versions, indicating a potentially broad impact.\n\nThe root cause of the incident was the maintainer's npm account being compromised. This was attributed to password reuse across multiple sites and the absence of two-factor authentication on their npm account, with credentials likely obtained from a third-party data breach.\n\nUpon discovery, the malicious packages were unpublished from npm, and the pastebin.com link containing the malicious code was taken down by 12:27 UTC. The npm team also revoked all access tokens generated before 2018-07-12 12:30 UTC to mitigate further compromise. ESLint subsequently published a clean version, `eslint-scope@3.7.3`, at 17:41 UTC.\n\nAs a result of this incident, ESLint provided recommendations for package maintainers, including avoiding password reuse, enabling npm two-factor authentication, auditing publisher access, and being cautious with auto-merging dependency upgrades. Application developers were also advised to use lockfiles to prevent automatic installation of new packages."}