Compromised version of eslint-scope published
Incident Report for npm
Postmortem

The ESLint team has published a statement on today's incident on their blog.

Posted Jul 12, 2018 - 20:45 UTC

Resolved
We have now invalidated all npm tokens issued before 2018-07-12 12:30 UTC, eliminating the possibility of stolen tokens being used maliciously. This is the final immediate operational action we expect to take today.

We will be conducting a forensic analysis of this incident to fully establish how many packages and users were affected, but our current belief is that it was a very small number. We will be conducting a deep audit of all the packages in the Registry to confirm this.
Posted Jul 12, 2018 - 18:52 UTC
Update
The website load incident is now resolved.
Posted Jul 12, 2018 - 18:39 UTC
Update
Invalidating tokens has created some load issues that are currently affecting npmjs.com. We are working on a solution.
Posted Jul 12, 2018 - 18:31 UTC
Update
Further clarifying: npm will revoke all tokens issued before 2018-07-12 12:30 UTC. If you rolled your tokens after that time you will not need to re-issue them.
Posted Jul 12, 2018 - 17:54 UTC
Update
We are aware that many of you have already taken action to roll your auth tokens in the last few hours. We have the ability to invalidate only older tokens, and we'll be doing so to avoid making you repeat work.
Posted Jul 12, 2018 - 17:36 UTC
Update
npm intends to invalidate all active tokens, to completely prevent the possibility of stolen tokens being used for malicious purposes. This work is ongoing, but you should expect to need to re-generate tokens for build systems etc. in the next few hours.
Posted Jul 12, 2018 - 17:15 UTC
Monitoring
To protect potentially compromised accounts, npm is invalidating all npm login tokens created between 2018-07-11 00:00 UTC and 2018-07-12 12:30 UTC (about 2 hours ago). If you believe your account specifically was compromised we still recommend visiting https://www.npmjs.com/settings/~/tokens to revoke all your tokens.
Posted Jul 12, 2018 - 16:42 UTC
Update
We continue to work on identifying and notifying affected users.

We believe the vector for this compromise was stolen credentials from one of the authorized publishers of the eslint-scope package. We recommend all package authors enable two-factor auth to protect their accounts from this kind of attack. You can find instructions on how to enable 2FA for your account here: https://docs.npmjs.com/getting-started/using-two-factor-authentication
Posted Jul 12, 2018 - 16:32 UTC
Update
We are continuing to investigate this issue.
Posted Jul 12, 2018 - 16:13 UTC
Investigating
Version 3.7.2 of the popular package `eslint-scope` was published without authorization ( see https://github.com/eslint/eslint-scope/issues/39 ). This version contained apparently malicious code that attempted to steal npm login tokens. It has been unpublished and is no longer available.

npm is aware of this issue and is actively taking steps to investigate, identify and notify affected users, and further protect our users.

Your npm login token does not give an attacker your npm password. You can revoke all existing tokens by visiting https://www.npmjs.com/settings/~/tokens .
Posted Jul 12, 2018 - 16:13 UTC