Resources Blog 3 steps to deal with the aftermath of the highjacked ...

3 steps to deal with the aftermath of the highjacked eslint-scope package

Yesterday at noon BST a new github issue was opened in the popular eslint repository on github. Someone had highjacked this package and published a version that attempts to download malicious javascript code from pastebin and then collects and sends out the user's npmrc token (a token used to authenticate with a remote repository) to the perpetrator.

The eslint-scope package is hugely popular with over two million downloads each week. An estimated 4500 tokens have been leaked, due to this implication npm inc announced yesterday they will be revoking all user tokens created before the event.

Screen Shot 2018-07-13 at 10.47.06

In a post-mortem published by the eslint project they apologised for the event and published a timeline of the attack.  They then offered recommendations like always using lockfiles with package managers over open version ranges.

The good news is this situation was handled expertly by the entire open source community and shows the power of being able to audit and inspect the code being pulled in. It is now the duty of each consumer of open source to take advantage of the great work done in the community to ensure you can find and address the issue as fast as is possible. 

According to Laurie Voss (@seldo), users of npm 6 or newer will automatically be notified of this issue if they attempt to build with the component. If you are using a private artifact repository manager internally like our Nexus Repository, you might want to consider revoking all internal tokens as well, if you discover this component was downloaded by your organisation.

Below are three steps you can take today to deal with the aftermath of this package event.

1. Discover which applications have the bad version of eslint-scope and eslint-config-eslint

Our data team fast tracked all security notices related to this component, so users of our Nexus Lifecycle and Firewall will be covered.

If you have continuous monitoring turned on you will already have received automatic notices of the issue.

To manually search for applications that might potentially have pulled this malicious component see my previous post on the subject.

2. Revoke all npmrc tokens in Nexus Repository manager and delete the components

The best way to avoid any adverse effects is to delete the component from NXRM immediately. The affected components are eslint-scope@3.7.2 and eslint-config-eslint@5.0.2. 

Deleting components from nexus through the API

Deleting components through the GUI:

Search and locate the component and delete it from the GUI. As an example deleting the component

Screen Shot 2018-07-13 at 15.56.59

As an additional precaution you may also wish to revoke all authentication tokens for npm. This is simply done by forcing the user's password to change if using the internal Nexus user account management or using old style npm authentication strings.
Revoking all user tokens:   User tokens can be invalidated by hitting the “Reset all user tokens” button on the user tokens screen administration screen. User tokens are format agnostic and will reset for ALL formats.
Screen Shot 2018-07-16 at 07.33.24 
Using the internal user manager of Nexus, administrative users can force a password change using Nexus' built-in user manager on each user.

You can also temporarily disable the npm bearer auth token Realm if you do not wish for users to be able to access the system while this change is happening.

3. Stay calm and test for it

The staple of any good dependency management diet is preferring absolute versions via lockfiles over open version ranges or latest. Including these practices with your build is  absolutely vital in preventing automatic downloads of new components as they are being published.

The Sonatype Intelligence group monitors hundreds of different sources for issues every day - and update our security intelligence on how to mitigate the issue several times a day.

Use @sonatype folks, because life is too short for the absolute cluster [bleep] that is javascript Thanks for keeping me safe you beautiful bunch of angels 🔥😍🔥😍🔥

— Edward Prentice (@EdwardPrentice) July 12, 2018

Nexus Lifecycle helps users automate discovering and fixing issues with actionable intelligence. To find out more see the below demo of our full stack and run a free application health check to identify what's in your application.





Picture of Ilkka Turunen

Written by Ilkka Turunen

Ilkka serves as Field CTO at Sonatype. He is a software engineer with a knack for rapid web-development and cloud computing and with technical experience on multiple levels of the XaaS cake. Ilkka is interested in anything and everything, always striving to learn any relevant skills that help towards building Sonatype for success.