1. someone compromises eslint to scan for other npm credentials and upload them.
2. the code has a bug that fails in some conditions.
3. this probably ran in several devs/CI systems and stole tons of credentials
4. the thread is about pinning the unaffected older version on all other high profile packages
5. people start to suggest fixes for the payload exec'ing code from an http request.
in the end, attackers now have hundreds of credentials for less visible projects, and even a fix for their code. I'd say attackers are writting this off as a huge success.
npm should proactively revoke everyone's token now!
> To protect potentially compromised accounts, npm is invalidating all npm login tokens created between 2018-07-11 00:00 UTC and 2018-07-12 12:30 UTC (about 2 hours ago).
Revoking all tokens and probably unpublishing anything published since eslint-scope 3.7.2 was released (maybe limit it to things published with a token that was issued after 3.7.2 was published) is the only way to really be sure
> To protect potentially compromised accounts, npm is invalidating all npm login tokens created between 2018-07-11 00:00 UTC and 2018-07-12 12:30 UTC (about 2 hours ago). If you believe your account specifically was compromised we still recommend visiting https://www.npmjs.com/settings/~/tokens to revoke all your tokens.
> Posted about 20 hours ago. Jul 12, 2018 - 16:42 UTC
Then later:
> We have now invalidated all npm tokens issued before 2018-07-12 12:30 UTC, eliminating the possibility of stolen tokens being used maliciously. This is the final immediate operational action we expect to take today.
> We will be conducting a forensic analysis of this incident to fully establish how many packages and users were affected, but our current belief is that it was a very small number. We will be conducting a deep audit of all the packages in the Registry to confirm this.
>Posted about 18 hours ago. Jul 12, 2018 - 18:52 UTC
1. someone compromises eslint to scan for other npm credentials and upload them.
2. the code has a bug that fails in some conditions.
3. this probably ran in several devs/CI systems and stole tons of credentials
4. the thread is about pinning the unaffected older version on all other high profile packages
5. people start to suggest fixes for the payload exec'ing code from an http request.
in the end, attackers now have hundreds of credentials for less visible projects, and even a fix for their code. I'd say attackers are writting this off as a huge success.
npm should proactively revoke everyone's token now!