Home > Vulnerability Database > WS-2018-0143

Mend.io Vulnerability Database

WS-2018-0143

Good to know:

Date: January 13, 2018

"An attacker compromised the npm account of an ESLint maintainer and published malicious packages to the npm registry.On installation, the malicious packages downloaded and executed code from pastebin.com which sent the contents of the user’s .npmrc file to the attacker. An .npmrc file typically contains access tokens for publishing to npm."

Language: JS

Severity Score

9.8

Related Resources (4)

Url: https://github.com/eslint/eslint-scope/issues/39

Url: https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes

Url: https://github.com/npm/npm/issues/21202

Url: https://www.mend.io/vulnerability-database/WS-2018-0143

Severity Score

9.8

Weakness Type (CWE)

Code

CWE-17

Top Fix

Upgrade Version

Upgrade to version eslint-scope - 3.7.3; eslint-config-eslint - 5.0.1

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2018-0143

Good to know:

Date: January 13, 2018

Language: JS

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?