TL;DR: If you are using NPM and have installed the package eslint-scope 3.7.2, we recommend you to revoke your MyGet access tokens.

Security Advisory

At MyGet, we’re always closely monitoring security events in the package management space, and we want you to be aware of a vulnerability incident that hit npm users today. The full incident report can be read on the status page.

A well-known popular npm package, eslint-scope (version 3.7.2) was published without authorization, and apparently contained malicious code that attempted to steal npm login tokens.

It has been unpublished from, and a post-mortem has been published by the eslint team.

We have scanned all MyGet feeds for this package, and have informed affected feed owners personally.

Nevertheless, if you are using NPM and are consuming the eslint-scope package, no matter whether from directly or proxied through MyGet, we recommend to:

  • Verify your feeds for affected packages, and remove them.
  • Revoke or regenerate your MyGet access tokens at once. Access tokens can be managed from your MyGet profile page.
  • Update your MyGet credentials from your MyGet account page.
  • If you push packages to via an upstream source, you’ll need to update your access token in the upstream source configuration.

Happy packaging!