According to NPM CTO Silverio, overnight between the 11th and 12th of July, a malicious attack took place on the NPM server where a hacker managed to gain access to a developer’s account and use the developer’s credentials to release a faux version of the eslint-scope library, the eslint-scope 3.7.2, which the hacked individual was responsible for maintaining. Luckily the new token generation activity was noticed soon and efforts were made to restrict and revert the change. Since then, in a thorough investigation of the breach, it was found that the malicious code was granted the ability to record NPM credentials of other developers when in use by their programs. Therefore, the NPM open source code availing community has been advised to change all account credentials and expel this particular NPM library from their projects if it has been employed into use.
Despite the massive number of weekly downloads trending for the ESLint package, it has been said that no malicious activity has been observed from the 4500 accounts that were in the direct hit to be compromised by the faux version of the code. Many tokens have still been recalled to avoid further tampering with the registry and further spreading of the infected eslint-scope package. Users have also been urged in the official statement from CJ Silverio to make use of the two factor authentication in place to prevent such malicious pushouts from happening in the future.
After every such open source attack on code, the developer’s community takes a step back in fear but in the various blog posts and editorials arising on the tech community front since the malicious attack, developers are urged to brave such incidents out to hold fast to the integrity with which open source libraries have been created for the benefit of all developers. NPM users are urged to continue forth and honor the spirit with which the open source project was initially established. If users employ all the security measures provided to them to safeguard the libraries, an attack like this will not be given any opening to occur again.