The npm registry maintainers invalidated developer login tokens last week after attackers compromised two legitimate packages associated with the ESLint library and rigged them with malicious code.
“On July 12th, 2018, an attacker compromised the npm account of an ESLint maintainer and published malicious versions of the eslint-scope and eslint-config-eslint packages to the npm registry,” the ESLint team said in an incident report.
The rogue versions included a malicious postinstall script that downloaded and executed rogue code from pastebin.com designed to steal users’ .npmrc files. These are local configuration files that typically contain access tokens for publishing packages to the npm registry.
In conclusion, this was a fully fledged software supply-chain attack whose goal was to compromise additional developers and potentially poison their own packages to further additional attacks.
According to the ESLint incident report, the attackers found a maintainer’s npm email and password in a third-party breach, which indicates poor password hygiene.
Reusing passwords across multiple services is a dangerous practice and a common cause for account hijackings. Attackers automatically test leaked credentials against multiple websites using so-called credential stuffing techniques.
Unfortunately, despite the widespread availability of easy-to-use password management tools, credential reuse continues to remain a common practice among users, including developers. A recent incident where malicious code was published on the Gentoo Linux repository on GitHub was also the result of an administrator having his or her password compromised in a third-party breach.
In the case of ESLint, attackers used the npm authentication token they obtained to publish a new version (5.0.2) of the eslint-config-eslint package, which contained the malicious postinstall script. They then unpublished eslint-config-eslint 5.0.2 and published eslint-scope 3.7.2 containing the same script.
Fortunately, the malicious code was spotted by an ESLint user within 40 minutes and the project’s maintainers were alerted. The eslint-scope 3.7.2 package was taken down one and a half hours later and a clean eslint-scope version (3.7.3) was published in its place so that caches would be updated.
The npm team also decided to invalidate all login tokens created before 2018-07-12 12:30 UTC in order to mitigate any potential effects the attack might have had on other developers. This action caused some load issues on npmjs.com that was quickly resolved.
“Your npm login token does not give an attacker your npm password,” the npm registry maintainers said. “You can revoke all existing tokens by visiting https://www.npmjs.com/settings/~/tokens” (log-in required).
Following the incident the ESLint team published the following recommendations for all developers who publish on npm:
- Package maintainers and users should avoid reusing the same password across multiple different sites. A password manager like 1Password or LastPass can help with this.
- Package maintainers should enable npm two-factor authentication. npm has a guide here. If you use Lerna, you can follow this issue.
- Package maintainers should audit and limit the number of people who have access to publish on npm.
- Package maintainers should be careful with using any services that auto-merge dependency upgrades.
- Application developers should use a lock file (package-lock.json or yarn.lock) to prevent the auto-install of new packages.
For more detailed information on password management and online account security, you can read our own TNS guide.
Feature image via Pixabay.