Protecting our users from the ESLint NPM package breach

On the 12th of July 2018, malicious code was detected in two popular open-source NPM packages, eslint-scope (version 3.7.2) and eslint-config-eslint (version 5.0.2). As a result, developers who downloaded and installed these packages may have had credentials stored in their .npmrc file compromised. This may include credentials required to access package feeds hosted in Visual Studio Team Services. 

In response to this incident, we identified a set of users across our service that were at risk of having had their credentials exposed. We have revoked a set of access tokens associated with their identities to mitigate the risk of those credentials being used by attackers. We will also reach out to those  individuals whose tokens were revoked.

If you notice tokens you use for accessing NPM not working, they are most likely revoked. You will need to regenerate them using the instructions found in our NPM documentation. 

In addition to this targeted action we will be deploying new REST APIs to production early next week that will allow administrators of Visual Studio Team Services accounts to centrally revoke Personal Access Tokens (PAT) and JSON Web Tokens (JWT) created by users in their accounts. Individual users can do this already by using the instructions found in revoke your own PATs documentation. 

For more information about the incident please refer to the ESLint post-mortem blog post.  

16