-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
If you ran eslint (JavaScript codestyle linter) recently (it was only
compromised for an hour), your npm token might have been compromised
(~/.npmrc).
To identify if you were compromised, run:
$ locate eslint-scope | grep -i "eslint-scope/packa
Further eslint-related packages seem to be infected:
https://github.com/eslint/eslint/issues/10600
All WM devs with publish access to npm should be using 2FA, which would
mitigate this issue.
All WM node packages should also be using npm shrinkwrap files; we should
probably audit that.
--scott
It's sad to see how the npm team could have taken steps to mitigate this
situation before hand:
https://github.com/npm/npm/pull/4016
Important lesson for everyone (including myself).
On Thu, Jul 12, 2018 at 11:42 AM C. Scott Ananian
wrote:
> Further eslint-related packages seem to be infected:
> Due to a recent security incident, all user tokens have been invalidated.
https://status.npmjs.org/incidents/dn7c1fgrr7ng
On Fri, Jul 13, 2018 at 1:13 AM, David Barratt wrote:
> It's sad to see how the npm team could have taken steps to mitigate this
> situation before hand:
> https://github.c