On July 12th, 2018, an attacker compromised the npm account of an ESLint maintainer. This allowed the attacker to publish malicious versions of eslint-config-eslint@5.0.2 and eslint-scope@3.7.2 to the npm registry, starting at 9:49 UTC.

The malicious packages contained a postinstall script that downloaded and executed code from pastebin.com. This code was designed to exfiltrate the user’s .npmrc file, which typically holds npm authentication tokens. The eslint-scope package is a dependency for several popular projects, including older ESLint versions and current Babel-ESLint and Webpack versions, indicating a potentially broad impact.

The root cause of the incident was the maintainer’s npm account being compromised. This was attributed to password reuse across multiple sites and the absence of two-factor authentication on their npm account, with credentials likely obtained from a third-party data breach.

Upon discovery, the malicious packages were unpublished from npm, and the pastebin.com link containing the malicious code was taken down by 12:27 UTC. The npm team also revoked all access tokens generated before 2018-07-12 12:30 UTC to mitigate further compromise. ESLint subsequently published a clean version, eslint-scope@3.7.3, at 17:41 UTC.

As a result of this incident, ESLint provided recommendations for package maintainers, including avoiding password reuse, enabling npm two-factor authentication, auditing publisher access, and being cautious with auto-merging dependency upgrades. Application developers were also advised to use lockfiles to prevent automatic installation of new packages.