Re: [Wikitech-l] eslint compromised, reset your npm tokens
> Due to a recent security incident, all user tokens have been invalidated. https://status.npmjs.org/incidents/dn7c1fgrr7ng On Fri, Jul 13, 2018 at 1:13 AM, David Barratt wrote: > It's sad to see how the npm team could have taken steps to mitigate this > situation before hand: > https://github.com/npm/npm/pull/4016 > > Important lesson for everyone (including myself). > > On Thu, Jul 12, 2018 at 11:42 AM C. Scott Ananian > wrote: > >> Further eslint-related packages seem to be infected: >> https://github.com/eslint/eslint/issues/10600 >> >> All WM devs with publish access to npm should be using 2FA, which would >> mitigate this issue. >> >> All WM node packages should also be using npm shrinkwrap files; we should >> probably audit that. >> --scott >> >> On Thu, Jul 12, 2018 at 11:30 AM, Kunal Mehta >> wrote: >> >> > -BEGIN PGP SIGNED MESSAGE- >> > Hash: SHA512 >> > >> > Hi, >> > >> > If you ran eslint (JavaScript codestyle linter) recently (it was only >> > compromised for an hour), your npm token might have been compromised >> > (~/.npmrc). >> > >> > To identify if you were compromised, run: >> > $ locate eslint-scope | grep -i "eslint-scope/package.json" | xargs jq >> > .version >> > >> > And if any of those show "3.7.2" then you have the bad package version >> > installed. >> > >> > Upstream recommends that you 1) reset your npm token and 2) enable 2fa >> > for npm - both can be done from the npm website. You should probably >> > also check to make sure none of your packages were compromised. >> > >> > There are some more details on the bug report[1]. >> > >> > [1] >> > https://github.com/eslint/eslint-scope/issues/39#issuecomment-404533026 >> > >> > - -- Legoktm >> > -BEGIN PGP SIGNATURE- >> > >> > iQIzBAEBCgAdFiEE+h6fmkHn9DUCyl1jUvyOe+23/KIFAltHdC0ACgkQUvyOe+23 >> > /KJpBg//WXBSPKhjmZd43KrHu07NsasWvrU/SAOeBtKjdaLTA3Ry5N+Fdh7LUFFk >> > oEm1rnz6AnfW0LPIbiDn66FTJ7jF1X6sV1GxpKhFQyYs6SL7LL4wT/XplRSwUTTD >> > hHccwuqPueYpD208w0zRcWVO7wpU7Lm+8xFrVwjhK7Q1AF6GzfwtmHy22fY05doM >> > NzXvYgB9urC1fYPQsEO6IhgNH7DT+ZtYOiHnRk2vTgr3fkIjKh4bNEdrnaQ9TOH5 >> > junlio+07llaF/gB/JWycctuy2z2T/zENLPwhy9ZK35DgikGaMsDU7mA6iGgoxhc >> > TQPDnn3Veel7FBXMPCrxYMDgcBCEqENdOfQcbEl9lXDocr7UjQF/0GsvhFncMoIY >> > GCfdSThYV6x/U9StyBdxerbX4fCddPgd2RvKjVgDmOdsOVGCU0/iKyhgrBh3AbfP >> > MNf+AzYCUGvnzfDsDIF+CvJhcddSHX44N5TGLubVwIMIHsvBevC+7D9uHGaLqkem >> > UR8xa489SZ8LOnsL8TgtRaGXNaWqeJX7tIGPtiS5s2bzhRDr8q062VOd3J/Qw3E0 >> > AQSixX+dQezw282RHYpCk3xuRgbN1oKvCEbOyDB97sbo19f+W2k0CmPVxIaDkr50 >> > D729WS+6XvozYaw0z/R1aOWJTJLTe9ZUO/Zi9qhDfQtLVzTz8M8= >> > =WybD >> > -END PGP SIGNATURE- >> > >> > ___ >> > Wikitech-l mailing list >> > Wikitech-l@lists.wikimedia.org >> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l >> >> >> >> >> -- >> (http://cscott.net) >> ___ >> Wikitech-l mailing list >> Wikitech-l@lists.wikimedia.org >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] eslint compromised, reset your npm tokens
It's sad to see how the npm team could have taken steps to mitigate this situation before hand: https://github.com/npm/npm/pull/4016 Important lesson for everyone (including myself). On Thu, Jul 12, 2018 at 11:42 AM C. Scott Ananian wrote: > Further eslint-related packages seem to be infected: > https://github.com/eslint/eslint/issues/10600 > > All WM devs with publish access to npm should be using 2FA, which would > mitigate this issue. > > All WM node packages should also be using npm shrinkwrap files; we should > probably audit that. > --scott > > On Thu, Jul 12, 2018 at 11:30 AM, Kunal Mehta > wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA512 > > > > Hi, > > > > If you ran eslint (JavaScript codestyle linter) recently (it was only > > compromised for an hour), your npm token might have been compromised > > (~/.npmrc). > > > > To identify if you were compromised, run: > > $ locate eslint-scope | grep -i "eslint-scope/package.json" | xargs jq > > .version > > > > And if any of those show "3.7.2" then you have the bad package version > > installed. > > > > Upstream recommends that you 1) reset your npm token and 2) enable 2fa > > for npm - both can be done from the npm website. You should probably > > also check to make sure none of your packages were compromised. > > > > There are some more details on the bug report[1]. > > > > [1] > > https://github.com/eslint/eslint-scope/issues/39#issuecomment-404533026 > > > > - -- Legoktm > > -BEGIN PGP SIGNATURE- > > > > iQIzBAEBCgAdFiEE+h6fmkHn9DUCyl1jUvyOe+23/KIFAltHdC0ACgkQUvyOe+23 > > /KJpBg//WXBSPKhjmZd43KrHu07NsasWvrU/SAOeBtKjdaLTA3Ry5N+Fdh7LUFFk > > oEm1rnz6AnfW0LPIbiDn66FTJ7jF1X6sV1GxpKhFQyYs6SL7LL4wT/XplRSwUTTD > > hHccwuqPueYpD208w0zRcWVO7wpU7Lm+8xFrVwjhK7Q1AF6GzfwtmHy22fY05doM > > NzXvYgB9urC1fYPQsEO6IhgNH7DT+ZtYOiHnRk2vTgr3fkIjKh4bNEdrnaQ9TOH5 > > junlio+07llaF/gB/JWycctuy2z2T/zENLPwhy9ZK35DgikGaMsDU7mA6iGgoxhc > > TQPDnn3Veel7FBXMPCrxYMDgcBCEqENdOfQcbEl9lXDocr7UjQF/0GsvhFncMoIY > > GCfdSThYV6x/U9StyBdxerbX4fCddPgd2RvKjVgDmOdsOVGCU0/iKyhgrBh3AbfP > > MNf+AzYCUGvnzfDsDIF+CvJhcddSHX44N5TGLubVwIMIHsvBevC+7D9uHGaLqkem > > UR8xa489SZ8LOnsL8TgtRaGXNaWqeJX7tIGPtiS5s2bzhRDr8q062VOd3J/Qw3E0 > > AQSixX+dQezw282RHYpCk3xuRgbN1oKvCEbOyDB97sbo19f+W2k0CmPVxIaDkr50 > > D729WS+6XvozYaw0z/R1aOWJTJLTe9ZUO/Zi9qhDfQtLVzTz8M8= > > =WybD > > -END PGP SIGNATURE- > > > > ___ > > Wikitech-l mailing list > > Wikitech-l@lists.wikimedia.org > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > > > -- > (http://cscott.net) > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] eslint compromised, reset your npm tokens
Further eslint-related packages seem to be infected: https://github.com/eslint/eslint/issues/10600 All WM devs with publish access to npm should be using 2FA, which would mitigate this issue. All WM node packages should also be using npm shrinkwrap files; we should probably audit that. --scott On Thu, Jul 12, 2018 at 11:30 AM, Kunal Mehta wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Hi, > > If you ran eslint (JavaScript codestyle linter) recently (it was only > compromised for an hour), your npm token might have been compromised > (~/.npmrc). > > To identify if you were compromised, run: > $ locate eslint-scope | grep -i "eslint-scope/package.json" | xargs jq > .version > > And if any of those show "3.7.2" then you have the bad package version > installed. > > Upstream recommends that you 1) reset your npm token and 2) enable 2fa > for npm - both can be done from the npm website. You should probably > also check to make sure none of your packages were compromised. > > There are some more details on the bug report[1]. > > [1] > https://github.com/eslint/eslint-scope/issues/39#issuecomment-404533026 > > - -- Legoktm > -BEGIN PGP SIGNATURE- > > iQIzBAEBCgAdFiEE+h6fmkHn9DUCyl1jUvyOe+23/KIFAltHdC0ACgkQUvyOe+23 > /KJpBg//WXBSPKhjmZd43KrHu07NsasWvrU/SAOeBtKjdaLTA3Ry5N+Fdh7LUFFk > oEm1rnz6AnfW0LPIbiDn66FTJ7jF1X6sV1GxpKhFQyYs6SL7LL4wT/XplRSwUTTD > hHccwuqPueYpD208w0zRcWVO7wpU7Lm+8xFrVwjhK7Q1AF6GzfwtmHy22fY05doM > NzXvYgB9urC1fYPQsEO6IhgNH7DT+ZtYOiHnRk2vTgr3fkIjKh4bNEdrnaQ9TOH5 > junlio+07llaF/gB/JWycctuy2z2T/zENLPwhy9ZK35DgikGaMsDU7mA6iGgoxhc > TQPDnn3Veel7FBXMPCrxYMDgcBCEqENdOfQcbEl9lXDocr7UjQF/0GsvhFncMoIY > GCfdSThYV6x/U9StyBdxerbX4fCddPgd2RvKjVgDmOdsOVGCU0/iKyhgrBh3AbfP > MNf+AzYCUGvnzfDsDIF+CvJhcddSHX44N5TGLubVwIMIHsvBevC+7D9uHGaLqkem > UR8xa489SZ8LOnsL8TgtRaGXNaWqeJX7tIGPtiS5s2bzhRDr8q062VOd3J/Qw3E0 > AQSixX+dQezw282RHYpCk3xuRgbN1oKvCEbOyDB97sbo19f+W2k0CmPVxIaDkr50 > D729WS+6XvozYaw0z/R1aOWJTJLTe9ZUO/Zi9qhDfQtLVzTz8M8= > =WybD > -END PGP SIGNATURE- > > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l -- (http://cscott.net) ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] eslint compromised, reset your npm tokens
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, If you ran eslint (JavaScript codestyle linter) recently (it was only compromised for an hour), your npm token might have been compromised (~/.npmrc). To identify if you were compromised, run: $ locate eslint-scope | grep -i "eslint-scope/package.json" | xargs jq .version And if any of those show "3.7.2" then you have the bad package version installed. Upstream recommends that you 1) reset your npm token and 2) enable 2fa for npm - both can be done from the npm website. You should probably also check to make sure none of your packages were compromised. There are some more details on the bug report[1]. [1] https://github.com/eslint/eslint-scope/issues/39#issuecomment-404533026 - -- Legoktm -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE+h6fmkHn9DUCyl1jUvyOe+23/KIFAltHdC0ACgkQUvyOe+23 /KJpBg//WXBSPKhjmZd43KrHu07NsasWvrU/SAOeBtKjdaLTA3Ry5N+Fdh7LUFFk oEm1rnz6AnfW0LPIbiDn66FTJ7jF1X6sV1GxpKhFQyYs6SL7LL4wT/XplRSwUTTD hHccwuqPueYpD208w0zRcWVO7wpU7Lm+8xFrVwjhK7Q1AF6GzfwtmHy22fY05doM NzXvYgB9urC1fYPQsEO6IhgNH7DT+ZtYOiHnRk2vTgr3fkIjKh4bNEdrnaQ9TOH5 junlio+07llaF/gB/JWycctuy2z2T/zENLPwhy9ZK35DgikGaMsDU7mA6iGgoxhc TQPDnn3Veel7FBXMPCrxYMDgcBCEqENdOfQcbEl9lXDocr7UjQF/0GsvhFncMoIY GCfdSThYV6x/U9StyBdxerbX4fCddPgd2RvKjVgDmOdsOVGCU0/iKyhgrBh3AbfP MNf+AzYCUGvnzfDsDIF+CvJhcddSHX44N5TGLubVwIMIHsvBevC+7D9uHGaLqkem UR8xa489SZ8LOnsL8TgtRaGXNaWqeJX7tIGPtiS5s2bzhRDr8q062VOd3J/Qw3E0 AQSixX+dQezw282RHYpCk3xuRgbN1oKvCEbOyDB97sbo19f+W2k0CmPVxIaDkr50 D729WS+6XvozYaw0z/R1aOWJTJLTe9ZUO/Zi9qhDfQtLVzTz8M8= =WybD -END PGP SIGNATURE- ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l