Revoking potentially impacted tokens from ESLint vulnerability

Justin Marks

On the 24th of July 2018, we notified some customers via e-mail and on this blog about a planned action that we would start taking in relation to the malicious ESLint NPM package incident.  This action is now underway. If you received an email from us and/or see a banner like one below, we have invalidated access tokens in your account. In this case you may need to recreate access tokens using the instructions linked below. If you didn’t receive an email related to this incident, you can ignore this post.

The action we are taking will primarily impact users of VSTS Package Management and users who are using access tokens stored in configuration files to access package feeds.

If you believe you have been impacted, you can regenerate Package Management access tokens following the instructions for the various packaging formats/protocols that we support:

In addition to revoking access tokens related to package management specifically, we needed to revoke some globally scoped access tokens which could have been used to access package management and therefore may have been present in local developer .npmrc files. These tokens may have also been used for general automation purposes. If this automation is failing you can login to VSTS using the identity that is used for automation and create a new personal access token.

NOTE: This is in addition to an earlier action that we have already taken to protect specific users that we felt that were of higher risk of having their access tokens stolen.

Additional assistance

If you have any questions or need assistance, please feel free to follow this process to create a free VSTS support case:

  1. Go to the VSTS support page at
  2. Scroll down to the “Contact us!” Section and choose “Basic Support”
  3. Select “Integration and Extensibility” for “Problem Type”
  4. Select “REST API” for “Category”
  5. Click on “Start Request”
  6. Fill in your contact information and choose “Continue”
  7. For the “Incident title”, please be sure to add: “Revoke tokens associated with ESLint malicious package
  8. Fill in your VSTS organization URL
  9. Provide any additional details to better troubleshoot your issue
  10. Choose Submit


Discussion is closed.

Feedback usabilla icon