Enabling administrators to revoke VSTS access tokens

As promised in the Protecting our users from the ESLint NPM package breach blog post last week, we have deployed new REST APIs to allow administrators of Visual Studio Team Services (VSTS) organizations to centrally revoke Personal Access Tokens (PAT) and JSON Web Tokens (JWT) created by users in their organizations.

We’ve reviewed our system telemetry and have found no evidence that user credentials were compromised, but out of an abundance of caution, we believe it’s prudent to proactively revoke these tokens.  As such, we recommend that VSTS administrators take immediate action and revoke any PAT and JWT tokens that can access VSTS Package Management features. To help with this, we have created a PowerShell script to automate calling the new REST API simply by passing a list of user principal names (UPNs).

After you have successfully revoked affected PATs and JWTs, please communicate this to your users so they can recreate their tokens as needed.

Over the next week, we will email all VSTS organization admins whose users accessed NPM from VSTS in the last 12 months (If you don’t get an email, you are unaffected and no actions are required).  On 3 August 2018 we will revoke any potentially impacted tokens for these affected customers only.  We hope this email notification provides VSTS administrators sufficient time to coordinate with their teams to rotate tokens, specifically those used to access VSTS package management features, to avoid any disruption, but also providing confidence that no user’s tokens will be overlooked.

Context on the security incident

On 12 July 2018, malicious code was detected in two popular open-source NPM components, eslint-scope (version 3.7.2) and eslint-config-eslint (version 5.0.2). As a result, developers who downloaded and installed these packages may have had credentials stored in their .npmrc file compromised. This includes credentials required to access package feeds hosted in VSTS.

In response to this incident, we have identified the VSTS users impacted by this and proactively revoked their access tokens as a precaution to protect their credentials. This action was taken on 16 July 2018. You can learn more about the ESLint incident by reading the post-mortem blog post by the ESLint team.

In addition to the known users impacted by this package, typical NPM usage patterns indicate the possibility that some users with VSTS credentials stored in their .npmrc file and who downloaded malicious packages directly from the public npmjs.org registry may experience potential credential compromise.

Additional assistance

If you have any questions or need assistance, please feel free to follow this process to create a free VSTS support case:

  1. Go to the VSTS support page at https://visualstudio.microsoft.com/team-services/support
  2. Scroll down to the “Contact us!” Section and choose “Basic Support”
  3. Select “Integration and Extensibility” for “Problem Type”
  4. Select “REST API” for “Category”
  5. Click on “Start Request”
  6. Fill in your contact information and choose “Continue”
  7. For the “Incident title”, please be sure to add: “Revoke tokens associated with ESLint malicious package
  8. Fill in your VSTS organization URL
  9. Provide any additional details to better troubleshoot your issue
  10. Choose Submit

Author: Justin Marks (MSFT)

Justin Marks is a principal program manager at Microsoft working on identity management for Azure DevOps. For the previous 7 years, Justin was part of the agile tooling space where he worked on all aspects of the work tracking system including process customization, the reporting stack, REST APIs, and collaboration experiences including team room, agile tooling and lightweight requirements management. Justin previously worked on the Visual Studio Debugger, the Windows Shell (as both a software design engineer in test and a program manager) and on MSN.com (as a systems engineer).

2