Thursday, 12 July, 2018 UTC


Jul 12, 16:13 UTC
Update - We are continuing to investigate this issue.
Jul 12, 16:13 UTC
Investigating - Version 3.7.2 of the popular package `eslint-scope` was published without authorization ( see ). This version contained apparently malicious code that attempted to steal npm login tokens. It has been unpublished and is no longer available.

npm is aware of this issue and is actively taking steps to investigate, identify and notify affected users, and further protect our users.

Your npm login token does not give an attacker your npm password. You can revoke all existing tokens by visiting .