With the hindsight of this incident, we have a few
recommendations for npm
package maintainers and users in the future:
- Package maintainers and users should avoid reusing the same password
across multiple different sites. A password manager like 1Password or
LastPass can help with this.
- Package maintainers should enable npm two-factor authentication. npm
has a guide here.
- If you use Lerna, you can follow this issue.
- Package maintainers should audit and limit the number of people who
have access to publish on npm.
- Package maintainers should be careful with using any services that
auto-merge dependency upgrades.
- Application developers should use a lockfile (package-lock.json or
yarn.lock) to prevent the auto-install of new packages.
Related:
https://phabricator.wikimedia.org/T179229 Decide whether we want
the
package-lock.json to commit or ignore
On Fri, Jul 13, 2018 at 6:07 AM Prateek Saxena <psaxena(a)wikimedia.org>
wrote:
Due to a
recent security incident, all user tokens have been invalidated.
https://status.npmjs.org/incidents/dn7c1fgrr7ng
On Fri, Jul 13, 2018 at 1:13 AM, David Barratt <dbarratt(a)wikimedia.org>
wrote:
It's sad to see how the npm team could have
taken steps to mitigate this
situation before hand:
https://github.com/npm/npm/pull/4016
Important lesson for everyone (including myself).
On Thu, Jul 12, 2018 at 11:42 AM C. Scott Ananian <
cananian(a)wikimedia.org>
wrote:
> Further eslint-related packages seem to be infected:
>
https://github.com/eslint/eslint/issues/10600
>
> All WM devs with publish access to npm should be using 2FA, which would
> mitigate this issue.
>
> All WM node packages should also be using npm shrinkwrap files; we
should
> probably audit that.
> --scott
>
> On Thu, Jul 12, 2018 at 11:30 AM, Kunal Mehta <legoktm(a)member.fsf.org>
> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > Hi,
> >
> > If you ran eslint (JavaScript codestyle linter) recently (it was only
> > compromised for an hour), your npm token might have been compromised
> > (~/.npmrc).
> >
> > To identify if you were compromised, run:
> > $ locate eslint-scope | grep -i "eslint-scope/package.json" | xargs
jq
> > .version
> >
> > And if any of those show "3.7.2" then you have the bad package
version
> > installed.
> >
> > Upstream recommends that you 1) reset your npm token and 2) enable 2fa
> > for npm - both can be done from the npm website. You should probably
> > also check to make sure none of your packages were compromised.
> >
> > There are some more details on the bug report[1].
> >
> > [1]
> >
https://github.com/eslint/eslint-scope/issues/39#issuecomment-404533026
- -- Legoktm
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE+h6fmkHn9DUCyl1jUvyOe+23/KIFAltHdC0ACgkQUvyOe+23
/KJpBg//WXBSPKhjmZd43KrHu07NsasWvrU/SAOeBtKjdaLTA3Ry5N+Fdh7LUFFk
oEm1rnz6AnfW0LPIbiDn66FTJ7jF1X6sV1GxpKhFQyYs6SL7LL4wT/XplRSwUTTD
hHccwuqPueYpD208w0zRcWVO7wpU7Lm+8xFrVwjhK7Q1AF6GzfwtmHy22fY05doM
NzXvYgB9urC1fYPQsEO6IhgNH7DT+ZtYOiHnRk2vTgr3fkIjKh4bNEdrnaQ9TOH5
junlio+07llaF/gB/JWycctuy2z2T/zENLPwhy9ZK35DgikGaMsDU7mA6iGgoxhc
TQPDnn3Veel7FBXMPCrxYMDgcBCEqENdOfQcbEl9lXDocr7UjQF/0GsvhFncMoIY
GCfdSThYV6x/U9StyBdxerbX4fCddPgd2RvKjVgDmOdsOVGCU0/iKyhgrBh3AbfP
MNf+AzYCUGvnzfDsDIF+CvJhcddSHX44N5TGLubVwIMIHsvBevC+7D9uHGaLqkem
UR8xa489SZ8LOnsL8TgtRaGXNaWqeJX7tIGPtiS5s2bzhRDr8q062VOd3J/Qw3E0
AQSixX+dQezw282RHYpCk3xuRgbN1oKvCEbOyDB97sbo19f+W2k0CmPVxIaDkr50
D729WS+6XvozYaw0z/R1aOWJTJLTe9ZUO/Zi9qhDfQtLVzTz8M8=
=WybD
-----END PGP SIGNATURE-----
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
--
(
http://cscott.net)
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l