The postmortem is interesting: https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
Recommendations > With the hindsight of this incident, we have a few recommendations for npm > package maintainers and users in the future: > > - Package maintainers and users should avoid reusing the same password > across multiple different sites. A password manager like 1Password or > LastPass can help with this. > - Package maintainers should enable npm two-factor authentication. npm > has a guide here. > - If you use Lerna, you can follow this issue. > - Package maintainers should audit and limit the number of people who > have access to publish on npm. > - Package maintainers should be careful with using any services that > auto-merge dependency upgrades. > - Application developers should use a lockfile (package-lock.json or > yarn.lock) to prevent the auto-install of new packages. > > Related: https://phabricator.wikimedia.org/T179229 Decide whether we want the package-lock.json to commit or ignore On Fri, Jul 13, 2018 at 6:07 AM Prateek Saxena <[email protected]> wrote: > > Due to a recent security incident, all user tokens have been invalidated. > > https://status.npmjs.org/incidents/dn7c1fgrr7ng > > On Fri, Jul 13, 2018 at 1:13 AM, David Barratt <[email protected]> > wrote: > > It's sad to see how the npm team could have taken steps to mitigate this > > situation before hand: > > https://github.com/npm/npm/pull/4016 > > > > Important lesson for everyone (including myself). > > > > On Thu, Jul 12, 2018 at 11:42 AM C. Scott Ananian < > [email protected]> > > wrote: > > > >> Further eslint-related packages seem to be infected: > >> https://github.com/eslint/eslint/issues/10600 > >> > >> All WM devs with publish access to npm should be using 2FA, which would > >> mitigate this issue. > >> > >> All WM node packages should also be using npm shrinkwrap files; we > should > >> probably audit that. > >> --scott > >> > >> On Thu, Jul 12, 2018 at 11:30 AM, Kunal Mehta <[email protected]> > >> wrote: > >> > >> > -----BEGIN PGP SIGNED MESSAGE----- > >> > Hash: SHA512 > >> > > >> > Hi, > >> > > >> > If you ran eslint (JavaScript codestyle linter) recently (it was only > >> > compromised for an hour), your npm token might have been compromised > >> > (~/.npmrc). > >> > > >> > To identify if you were compromised, run: > >> > $ locate eslint-scope | grep -i "eslint-scope/package.json" | xargs jq > >> > .version > >> > > >> > And if any of those show "3.7.2" then you have the bad package version > >> > installed. > >> > > >> > Upstream recommends that you 1) reset your npm token and 2) enable 2fa > >> > for npm - both can be done from the npm website. You should probably > >> > also check to make sure none of your packages were compromised. > >> > > >> > There are some more details on the bug report[1]. > >> > > >> > [1] > >> > > https://github.com/eslint/eslint-scope/issues/39#issuecomment-404533026 > >> > > >> > - -- Legoktm > >> > -----BEGIN PGP SIGNATURE----- > >> > > >> > iQIzBAEBCgAdFiEE+h6fmkHn9DUCyl1jUvyOe+23/KIFAltHdC0ACgkQUvyOe+23 > >> > /KJpBg//WXBSPKhjmZd43KrHu07NsasWvrU/SAOeBtKjdaLTA3Ry5N+Fdh7LUFFk > >> > oEm1rnz6AnfW0LPIbiDn66FTJ7jF1X6sV1GxpKhFQyYs6SL7LL4wT/XplRSwUTTD > >> > hHccwuqPueYpD208w0zRcWVO7wpU7Lm+8xFrVwjhK7Q1AF6GzfwtmHy22fY05doM > >> > NzXvYgB9urC1fYPQsEO6IhgNH7DT+ZtYOiHnRk2vTgr3fkIjKh4bNEdrnaQ9TOH5 > >> > junlio+07llaF/gB/JWycctuy2z2T/zENLPwhy9ZK35DgikGaMsDU7mA6iGgoxhc > >> > TQPDnn3Veel7FBXMPCrxYMDgcBCEqENdOfQcbEl9lXDocr7UjQF/0GsvhFncMoIY > >> > GCfdSThYV6x/U9StyBdxerbX4fCddPgd2RvKjVgDmOdsOVGCU0/iKyhgrBh3AbfP > >> > MNf+AzYCUGvnzfDsDIF+CvJhcddSHX44N5TGLubVwIMIHsvBevC+7D9uHGaLqkem > >> > UR8xa489SZ8LOnsL8TgtRaGXNaWqeJX7tIGPtiS5s2bzhRDr8q062VOd3J/Qw3E0 > >> > AQSixX+dQezw282RHYpCk3xuRgbN1oKvCEbOyDB97sbo19f+W2k0CmPVxIaDkr50 > >> > D729WS+6XvozYaw0z/R1aOWJTJLTe9ZUO/Zi9qhDfQtLVzTz8M8= > >> > =WybD > >> > -----END PGP SIGNATURE----- > >> > > >> > _______________________________________________ > >> > Wikitech-l mailing list > >> > [email protected] > >> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > >> > >> > >> > >> > >> -- > >> (http://cscott.net) > >> _______________________________________________ > >> Wikitech-l mailing list > >> [email protected] > >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > _______________________________________________ > > Wikitech-l mailing list > > [email protected] > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
