Revoking potentially impacted tokens from ESLint vulnerability

On the 24th of July 2018, we notified some customers via e-mail and on this blog about a planned action that we would start taking in relation to the malicious ESLint NPM package incident.  This action is now underway. If you received an email from us and/or see a banner like one below, we have invalidated access tokens in your account. In this case you may need to recreate access tokens using the instructions linked below. If you didn’t receive an email related to this incident, you can ignore this post.

The action we are taking will primarily impact users of VSTS Package Management and users who are using access tokens stored in configuration files to access package feeds.

If you believe you have been impacted, you can regenerate Package Management access tokens following the instructions for the various packaging formats/protocols that we support:

In addition to revoking access tokens related to package management specifically, we needed to revoke some globally scoped access tokens which could have been used to access package management and therefore may have been present in local developer .npmrc files. These tokens may have also been used for general automation purposes. If this automation is failing you can login to VSTS using the identity that is used for automation and create a new personal access token.

NOTE: This is in addition to an earlier action that we have already taken to protect specific users that we felt that were of higher risk of having their access tokens stolen.

Additional assistance

If you have any questions or need assistance, please feel free to follow this process to create a free VSTS support case:

  1. Go to the VSTS support page at https://visualstudio.microsoft.com/team-services/support
  2. Scroll down to the “Contact us!” Section and choose “Basic Support”
  3. Select “Integration and Extensibility” for “Problem Type”
  4. Select “REST API” for “Category”
  5. Click on “Start Request”
  6. Fill in your contact information and choose “Continue”
  7. For the “Incident title”, please be sure to add: “Revoke tokens associated with ESLint malicious package
  8. Fill in your VSTS organization URL
  9. Provide any additional details to better troubleshoot your issue
  10. Choose Submit

Author: Justin Marks (MSFT)

Justin Marks is a principal program manager at Microsoft working on identity management in Visual Studio Team Services. For the previous 7 years, Justin was part of the agile tooling space where he worked on all aspects of the work tracking system including process customization, the reporting stack, REST APIs, and collaboration experiences including team room, agile tooling and lightweight requirements management. Before working on VSTS, Justin worked on the Visual Studio debugger delivering the end-to-end IntelliTrace experience. During his 15 years at Microsoft, Justin has also worked on MSN.com as a Systems Engineer during the version 8 and 9 product cycles and on the Windows Shell as both a Software Design Engineer in Test and a Program Manager during Vista and Windows 7.

0