The package manager NPM JS allowed attackers to upload malicious code after they had gained access to a project account via a re-used password - presumably they wanted to spy on other users. The operators have responded to the reports about compromised credentials by revoking all access tokens issued before 2:30 pm (UTC) on 12 July 2018. All 4500 affected users of the service need to re-authenticate.
With the compromised account the following packages were released through NPM: firstname.lastname@example.org, babel-eslint and webpack. The affected packages have since been withdrawn from NPM JS. They contain malicious code that was probably intended to spy on other NPM users. After an initial analysis of NPM, access tokens from around 4,500 accounts could be spied on before the error was found and corrected. A detailed forensic analysis should clarify whether other accounts are affected or whether code has been smuggled into projects elsewhere in an irregular manner.
The creators of the project claim that the incident was not caused by a data leak at NPM itself. Rather, the access data of one account had become public elsewhere and were subsequently misused. ESLint itself claims, that the responsible project maintainer used his password several times on different platforms and that it leaked from there. The project encourages all account owners to use two-factor authentication in the future to avoid similar problems.
"Two-factor authentication is one of the most important security measures - for private individuals, but especially in a corporate environment," says G DATA Security Evangelist Tim Berghoff. "Even if login credentials have been spied on, access is not possible in this case. Especially important infrastructure such as a package manager should be particularly well secured." Two-factor authentication can be implemented easily using smartphone apps. Alternatively, hardware-based solutions such as USB tokens can be used, which are connected to the computer for login.