├── .gitignore
├── LICENSE
├── README.md
└── exploited-packages.json


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Logs
 2 | logs
 3 | *.log
 4 | npm-debug.log*
 5 | yarn-debug.log*
 6 | yarn-error.log*
 7 | 
 8 | # Runtime data
 9 | pids
10 | *.pid
11 | *.seed
12 | *.pid.lock
13 | 
14 | # Directory for instrumented libs generated by jscoverage/JSCover
15 | lib-cov
16 | 
17 | # Coverage directory used by tools like istanbul
18 | coverage
19 | 
20 | # nyc test coverage
21 | .nyc_output
22 | 
23 | # Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
24 | .grunt
25 | 
26 | # Bower dependency directory (https://bower.io/)
27 | bower_components
28 | 
29 | # node-waf configuration
30 | .lock-wscript
31 | 
32 | # Compiled binary addons (https://nodejs.org/api/addons.html)
33 | build/Release
34 | 
35 | # Dependency directories
36 | node_modules/
37 | jspm_packages/
38 | 
39 | # TypeScript v1 declaration files
40 | typings/
41 | 
42 | # Optional npm cache directory
43 | .npm
44 | 
45 | # Optional eslint cache
46 | .eslintcache
47 | 
48 | # Optional REPL history
49 | .node_repl_history
50 | 
51 | # Output of 'npm pack'
52 | *.tgz
53 | 
54 | # Yarn Integrity file
55 | .yarn-integrity
56 | 
57 | # dotenv environment variables file
58 | .env
59 | 
60 | # next.js build output
61 | .next
62 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2018 RunKit
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # eslint-scope virus scan
 2 | 
 3 | [RunKit](https://runkit.com) is in the unique position where we have the built source of every package
 4 | on npm readily available, so we've kicked off an initial simple scan of every
 5 | package currently published to see if we detect the additional presence of this
 6 | virus in the registry. The process is ongoing and we will be updating this
 7 | README with our findings, as well as filing issues on any projects if we get a
 8 | positive hit. We have already [found one instance](https://github.com/runkitdev/eslint-scope-scan/blob/master/README.md#eslint-config-airbnb-standard200) that was previously unreported
 9 | that is detailed below. We are also serializing this information in a JSON file for
10 | easy automated consumption: [eslint-scope-scan/exploited-packages.json](./exploited-packages.json)
11 | 
12 | This is a fairly simplistic scan, just searching for the strings
13 | `sstatic1.histats.com` and `raw/XLeVP82h`, designed to quickly mitigate and
14 | discover any pure copies of this virus, and probably won't catch cases where the
15 | code has been significantly altered. We are open to suggestions from the
16 | community about additional steps we could take. Again, we're in a position few
17 | others are to actually check all the source, and so we feel it is our
18 | responsibility to help in any way we can.
19 | 
20 | Ultimately, we are hoping that this was caught fast enough to not have had a
21 | chance to spread, and that this work will be in an abundance of caution. The
22 | node community is certainly large enough where "enough eyes [may] make every
23 | vulnerability shallow", and the already great (and quick!) work by the
24 | eslint-scope team and npm have hopefully stopped this before it had a chance to
25 | grow.
26 | 
27 | ## Known Packages With Vulnerability
28 | 
29 | 1. ### eslint-scope@3.7.2
30 | 
31 |    | status | bug |
32 |    |--------|---------------|
33 |    | unpublished | [eslint-scope #39](https://github.com/eslint/eslint-scope/issues/39) |
34 | 
35 |    The package that we believe had the original vulnerability.
36 |    
37 | 2. ### eslint-config-eslint@5.0.2
38 | 
39 |    | status | bug |
40 |    |--------|---------------|
41 |    | unpublished | [eslint-scope #39](https://github.com/eslint/eslint-scope/issues/39) |
42 |   
43 |    A related package that was quickly discovered to also contain the vulnerability.
44 | 
45 | 3. ### eslint-config-airbnb-standard@2.0.0
46 | 
47 |    | status | bug |
48 |    |--------|---------------|
49 |    | **upublished** | [eslint-config-airbnb-standard #3](https://github.com/doasync/eslint-config-airbnb-standard/issues/3) |
50 |    
51 |    **Update: npm has unpublished this package. It was confirmed that the virus will still take affect even though it was in `bundledDependencies`, so please remove this version of this package if you are using it.**
52 |    
53 |    RunKit's virus scan detected that `eslint-config-airbnb-standard@2.0.0` contains `eslint-scope@3.7.2` in its `bundleDependencies`. Unlike `dependencies`, `bundledDependencies` are not downloaded separately from npm at install but rather included directly in the tarball. This means that this version will always be susceptible to the bug despite not having necessarily been directly compromised itself, since it will always contain the originally affected `eslint-scope`. ~~Given that the virus takes action during installation and eslint-scope is present in `bundledDependencies`, it is **possible** that the bug won't have a chance to take effect. However, we have not thoroughly tested this and it is recommended you move away from this version either way. Version 2.1.0 does not appear to have the vulnerability.~~ **It is now confirmed that the virus is active in this package. Despite being in `bundledDependencies`, the virus will still run the post-hook script on install, it is important to remove this package if you are using it**
54 | 


--------------------------------------------------------------------------------
/exploited-packages.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "eslint-scope": {
 3 |         "version": "3.7.2",
 4 |         "file": "./lib/build.js"
 5 |     },
 6 |     "eslint-config-eslint": {
 7 |         "version": "5.0.2"
 8 |     },
 9 |     "eslint-config-airbnb-standard": {
10 |         "version": "2.0.0",
11 |         "file": "./node_modules/eslint-scope/lib/build.js",
12 |         "runkitLink": "https://npm.runkit.com/eslint-config-airbnb-standard/node_modules/eslint-scope/lib/build.js?t=1531400059206"
13 |     }
14 | }
15 | 


--------------------------------------------------------------------------------