{"id":22726905,"url":"https://github.com/runkitdev/eslint-scope-scan","last_synced_at":"2026-03-07T05:32:32.863Z","repository":{"id":85025815,"uuid":"140768055","full_name":"runkitdev/eslint-scope-scan","owner":"runkitdev","description":"runkit.com's scanning results over all packages on npm for the eslint-scope virus","archived":false,"fork":false,"pushed_at":"2018-07-13T00:49:53.000Z","size":21,"stargazers_count":27,"open_issues_count":1,"forks_count":4,"subscribers_count":15,"default_branch":"master","last_synced_at":"2025-04-23T14:02:22.540Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/runkitdev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2018-07-12T21:50:24.000Z","updated_at":"2024-08-13T17:40:42.000Z","dependencies_parsed_at":null,"dependency_job_id":"e687d855-5d88-4317-9e37-8432e4b6551a","html_url":"https://github.com/runkitdev/eslint-scope-scan","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/runkitdev/eslint-scope-scan","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/runkitdev%2Feslint-scope-scan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/runkitdev%2Feslint-scope-scan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/runkitdev%2Feslint-scope-scan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/runkitdev%2Feslint-scope-scan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/runkitdev","download_url":"https://codeload.github.com/runkitdev/eslint-scope-scan/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/runkitdev%2Feslint-scope-scan/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30208731,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-07T05:23:27.321Z","status":"ssl_error","status_checked_at":"2026-03-07T05:00:17.256Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-10T17:07:21.392Z","updated_at":"2026-03-07T05:32:32.820Z","avatar_url":"https://github.com/runkitdev.png","language":null,"readme":"# eslint-scope virus scan\n\n[RunKit](https://runkit.com) is in the unique position where we have the built source of every package\non npm readily available, so we've kicked off an initial simple scan of every\npackage currently published to see if we detect the additional presence of this\nvirus in the registry. The process is ongoing and we will be updating this\nREADME with our findings, as well as filing issues on any projects if we get a\npositive hit. We have already [found one instance](https://github.com/runkitdev/eslint-scope-scan/blob/master/README.md#eslint-config-airbnb-standard200) that was previously unreported\nthat is detailed below. We are also serializing this information in a JSON file for\neasy automated consumption: [eslint-scope-scan/exploited-packages.json](./exploited-packages.json)\n\nThis is a fairly simplistic scan, just searching for the strings\n`sstatic1.histats.com` and `raw/XLeVP82h`, designed to quickly mitigate and\ndiscover any pure copies of this virus, and probably won't catch cases where the\ncode has been significantly altered. We are open to suggestions from the\ncommunity about additional steps we could take. Again, we're in a position few\nothers are to actually check all the source, and so we feel it is our\nresponsibility to help in any way we can.\n\nUltimately, we are hoping that this was caught fast enough to not have had a\nchance to spread, and that this work will be in an abundance of caution. The\nnode community is certainly large enough where \"enough eyes [may] make every\nvulnerability shallow\", and the already great (and quick!) work by the\neslint-scope team and npm have hopefully stopped this before it had a chance to\ngrow.\n\n## Known Packages With Vulnerability\n\n1. ### eslint-scope@3.7.2\n\n   | status | bug |\n   |--------|---------------|\n   | unpublished | [eslint-scope #39](https://github.com/eslint/eslint-scope/issues/39) |\n\n   The package that we believe had the original vulnerability.\n   \n2. ### eslint-config-eslint@5.0.2\n\n   | status | bug |\n   |--------|---------------|\n   | unpublished | [eslint-scope #39](https://github.com/eslint/eslint-scope/issues/39) |\n  \n   A related package that was quickly discovered to also contain the vulnerability.\n\n3. ### eslint-config-airbnb-standard@2.0.0\n\n   | status | bug |\n   |--------|---------------|\n   | **upublished** | [eslint-config-airbnb-standard #3](https://github.com/doasync/eslint-config-airbnb-standard/issues/3) |\n   \n   **Update: npm has unpublished this package. It was confirmed that the virus will still take affect even though it was in `bundledDependencies`, so please remove this version of this package if you are using it.**\n   \n   RunKit's virus scan detected that `eslint-config-airbnb-standard@2.0.0` contains `eslint-scope@3.7.2` in its `bundleDependencies`. Unlike `dependencies`, `bundledDependencies` are not downloaded separately from npm at install but rather included directly in the tarball. This means that this version will always be susceptible to the bug despite not having necessarily been directly compromised itself, since it will always contain the originally affected `eslint-scope`. ~~Given that the virus takes action during installation and eslint-scope is present in `bundledDependencies`, it is **possible** that the bug won't have a chance to take effect. However, we have not thoroughly tested this and it is recommended you move away from this version either way. Version 2.1.0 does not appear to have the vulnerability.~~ **It is now confirmed that the virus is active in this package. Despite being in `bundledDependencies`, the virus will still run the post-hook script on install, it is important to remove this package if you are using it**\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frunkitdev%2Feslint-scope-scan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frunkitdev%2Feslint-scope-scan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frunkitdev%2Feslint-scope-scan/lists"}