Further eslint-related packages seem to be infected:
https://github.com/eslint/eslint/issues/10600

All WM devs with publish access to npm should be using 2FA, which would
mitigate this issue.

All WM node packages should also be using npm shrinkwrap files; we should
probably audit that.
 --scott

On Thu, Jul 12, 2018 at 11:30 AM, Kunal Mehta <lego...@member.fsf.org>
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> If you ran eslint (JavaScript codestyle linter) recently (it was only
> compromised for an hour), your npm token might have been compromised
> (~/.npmrc).
>
> To identify if you were compromised, run:
> $ locate eslint-scope | grep -i "eslint-scope/package.json" | xargs jq
> .version
>
> And if any of those show "3.7.2" then you have the bad package version
> installed.
>
> Upstream recommends that you 1) reset your npm token and 2) enable 2fa
> for npm - both can be done from the npm website. You should probably
> also check to make sure none of your packages were compromised.
>
> There are some more details on the bug report[1].
>
> [1]
> https://github.com/eslint/eslint-scope/issues/39#issuecomment-404533026
>
> - -- Legoktm
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEE+h6fmkHn9DUCyl1jUvyOe+23/KIFAltHdC0ACgkQUvyOe+23
> /KJpBg//WXBSPKhjmZd43KrHu07NsasWvrU/SAOeBtKjdaLTA3Ry5N+Fdh7LUFFk
> oEm1rnz6AnfW0LPIbiDn66FTJ7jF1X6sV1GxpKhFQyYs6SL7LL4wT/XplRSwUTTD
> hHccwuqPueYpD208w0zRcWVO7wpU7Lm+8xFrVwjhK7Q1AF6GzfwtmHy22fY05doM
> NzXvYgB9urC1fYPQsEO6IhgNH7DT+ZtYOiHnRk2vTgr3fkIjKh4bNEdrnaQ9TOH5
> junlio+07llaF/gB/JWycctuy2z2T/zENLPwhy9ZK35DgikGaMsDU7mA6iGgoxhc
> TQPDnn3Veel7FBXMPCrxYMDgcBCEqENdOfQcbEl9lXDocr7UjQF/0GsvhFncMoIY
> GCfdSThYV6x/U9StyBdxerbX4fCddPgd2RvKjVgDmOdsOVGCU0/iKyhgrBh3AbfP
> MNf+AzYCUGvnzfDsDIF+CvJhcddSHX44N5TGLubVwIMIHsvBevC+7D9uHGaLqkem
> UR8xa489SZ8LOnsL8TgtRaGXNaWqeJX7tIGPtiS5s2bzhRDr8q062VOd3J/Qw3E0
> AQSixX+dQezw282RHYpCk3xuRgbN1oKvCEbOyDB97sbo19f+W2k0CmPVxIaDkr50
> D729WS+6XvozYaw0z/R1aOWJTJLTe9ZUO/Zi9qhDfQtLVzTz8M8=
> =WybD
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l




-- 
(http://cscott.net)
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Reply via email to