On July 12th, 2018, an issue was created in the eslint-scope repository. After some analysis, it is clear that this is a more significant issue than what was initially considered.
ESLint plugins may have compromised the content of your .npmrc file. If using the affected packages, you must revoke any credentials available through there.
If you’re using ESLint through Codacy, there is nothing you need to do, as Codacy does not allow tools to access the internet during execution.
The attacker published “malicious versions of the eslint-scope and eslint-config-eslint packages to the npm registry. On installation, the malicious packages downloaded and executed code from pastebin.com which sent the contents of the user’s .npmrc file to the attacker. An .npmrc file typically contains access tokens for publishing to npm.” You can see more details on the postmortem.
- NPM incident – https://status.npmjs.org/incidents/dn7c1fgrr7ng
- ESLint postmortem – https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
- Original report – https://github.com/eslint/eslint-scope/issues/39
Wrapping it up
Codacy is used by thousands of developers to analyze billions of lines of code every day!
Getting started is easy – and free! Just use your GitHub, Bitbucket or Google account to sign up.