The postmortem is interesting:
https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
Recommendations
> With the hindsight of this incident, we have a few recommendations for npm
> package maintainers and users in the future:
>
>- Package maintainers and users should avoid
> Due to a recent security incident, all user tokens have been invalidated.
https://status.npmjs.org/incidents/dn7c1fgrr7ng
On Fri, Jul 13, 2018 at 1:13 AM, David Barratt wrote:
> It's sad to see how the npm team could have taken steps to mitigate this
> situation before hand:
>
It's sad to see how the npm team could have taken steps to mitigate this
situation before hand:
https://github.com/npm/npm/pull/4016
Important lesson for everyone (including myself).
On Thu, Jul 12, 2018 at 11:42 AM C. Scott Ananian
wrote:
> Further eslint-related packages seem to be infected:
Further eslint-related packages seem to be infected:
https://github.com/eslint/eslint/issues/10600
All WM devs with publish access to npm should be using 2FA, which would
mitigate this issue.
All WM node packages should also be using npm shrinkwrap files; we should
probably audit that.
--scott
