a dependency of webpack, eslint-scope@3.7.2 has been hacked

[buhichan]

see eslint/eslint-scope#39
eslint-scope@3.7.2 is a hacked version, which sends your ~/.npmrc to the hacker.
currently webpack depends on eslint-scope@^3.7.1, it's harmful.

[selbekk]

🚨 🚑 🚨 🚑 🚨 🚑 🚨 🚑 🚨 🚑 🚨 🚑 🚨 🚑 🚨
IMPORTANT!

The hacked version has been unpublished now - but the harm may already have been done.

You - the user - might have lost your NPM auth tokens. If not you, it might have happened to your CI servers. Chances are you are affected. This is what you do:

1. Turn on 2-factor authentication on NPM. Just do it.
2. Revoke all of your NPM auth tokens (see how to here) and create new ones.

[sokra]

That's bad...

[shellscape]

Following up on removing tokens, it's far easier to go to https://www.npmjs.com/settings/{username}/tokens and remove them there. You'll have to npm login locally and recreate any tokens for services that connect to your account.

[quisido]

npmjs has invalidated all tokens to resolve this issue.
eslint-scope@3.7.3 has been published to eradicate the virus in 3.7.2.

For users who want to resolve this issue manually, just npm uninstall webpack and npm install webpack. The new installation should come with eslint-scope@3.7.3.

[montogeek]

It seems issue is resolved.