GHSA-pv55-r6j3-wp94

Source

https://github.com/advisories/GHSA-pv55-r6j3-wp94

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-pv55-r6j3-wp94/GHSA-pv55-r6j3-wp94.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-pv55-r6j3-wp94

Published

2020-09-01T20:45:57Z

Modified

2023-07-27T00:04:06Z

Summary

Malicious Package in eslint-config-eslint

Details

Version 5.0.2 of eslint-config-eslint was published without authorization and was found to contain malicious code. This code would read the users .npmrc file and send any found authentication tokens to a remote server.

Recommendation

The best course of action if you found this package installed in your environment is to revoke all your npm tokens. You can find instructions on how to do that here. https://docs.npmjs.com/getting-started/workingwithtokens#how-to-revoke-tokens

Users may consider downgrading to version 5.0.1

Database specific

{
    "github_reviewed_at": "2020-08-31T18:32:17Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [],
    "severity": "CRITICAL"
}

References

https://www.npmjs.com/advisories/674

Affected packages

npm / eslint-config-eslint

Package

Name: eslint-config-eslint; View open source insights on deps.dev
Purl: pkg:npm/eslint-config-eslint

Affected ranges

Affected versions

5.*

5.0.2