Information Technology

Discord has patched a critical issue in the desktop version of the messaging app which left users vulnerable to remote code execution (RCE) attacks.  

Bug bounty hunter Masato Kinugawa developed an exploit chain leading to RCE several months ago and published a blog post over the weekend describing the technical details of the method, which combines multiple bugs.
The first security issue was found in Electron, the software framework used by the Discord desktop app. While the desktop app is not open source, the JavaScript code utilized by Electron — an open source project for creating cross-platform apps able to harness JavaScript, HTML, and CSS — was saved locally and could be extracted and examined. 
See also: Hackers exploit Windows Error Reporting service in new fileless attack
One of the settings in Discord’s Electron build, “contextIsolation,” was set to false, and this could allow JavaScript code outside of the app to influence internal code, such as the Node.js function. The feature was designed to introduce separate contexts between web pages and JavaScript code.
“This behavior is dangerous because Electron allows the JavaScript code outside web pages to use the Node.js features regardless [of] the nodeIntegration option and by interfering with them from the function overridden in the web page, it could be possible to achieve RCE even if the nodeIntegration is set to false,” Kinugawa explained. 
Now, the researcher needed a way to execute JavaScript on the application, leading to the discovery of a cross-site scripting (XSS) issue in the iframe embed feature, used to display video in chat when a URL is posted, such as one from YouTube. 
This led Kinugawa to Sketchfab, a 3D content viewer. Sketchfab is whitelisted in Discord’s content security policy and can be embedded in the iframe — but a DOM-based XSS discovered in the embeds page could be abused. 
CNET: Best password manager to use for 2020: 1Password, LastPass and more compared
However, this only allowed the bug bounty hunter to execute JavaScript in the iframe, and so it still wasn’t possible to achieve full RCE on the Discord desktop app. At least, not until Kinugawa came across a navigation restriction bypass in Electron’s “will-navigate” event code. 
Tracked as CVE-2020-15174, this processing error, combined with the other two vulnerabilities, allowed Kinugawa to perform an RCE attack by circumventing navigation restrictions and using the iframe XSS bug to access a web page containing the RCE payload.   
Kinugawa reported his findings via Discord’s Bug Bounty program. After the Discord team triaged the bugs and confirmed their validity, the developers disabled the Sketchfab embeds and added a sandbox attribute to the iframe.
TechRepublic: Professor creates cybersecurity camp to inspire girls to choose STEM careers
“After a while, the contextIsolation was enabled,” the bug bounty hunter added. “Now even if I could execute arbitrary JavaScript on the app, RCE does not occur via the overridden JavaScript built-in methods.”
Kinugawa was awarded $5,000 for his report by Discord, alongside $300 by the Sketchfab team for the disclosure of the XSS flaw, now patched. Electron’s “will-navigate” issue has also been resolved.  
ZDNet has reached out to Discord and will update when we hear back.

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

We could soon be in for a new round of the encryption wars, but this time governments are taking a different approach.
Seven governments from across the world have started a new campaign to try and persuade big tech companies to reduce the level of security they offer to customers using their services.

More on privacy

The seven — US, UK, Canada, Australia , New Zealand, India and Japan — are worried that the use of end-to-end encryption makes it impossible for tech companies to identify dangerous content like terrorist propaganda and attack planning, and makes it harder for police to investigate serious crimes and protect national security.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Their statement starts boldly: “We, the undersigned, support strong encryption”, saying that it plays a crucial role in protecting personal data, privacy, intellectual property, trade secrets and cybersecurity, and in repressive states protects journalists, human rights defenders and other vulnerable people.
Then, of course, comes the big caveat: “We urge industry to address our serious concerns where encryption is applied in a way that wholly precludes any legal access to content.” The sort of end-to-end encryption that means messages can’t be intercepted, or that a hard drive can never be read without the key, “pose significant challenges to public safety”, the seven governments warn.
This of course is where things get trickier. These governments want tech companies to make it possible to act against illegal content and activity, but with no reduction to safety — something that tech companies insist is impossible.
“We challenge the assertion that public safety cannot be protected without compromising privacy or cybersecurity. We strongly believe that approaches protecting each of these important values are possible and strive to work with industry to collaborate on mutually agreeable solutions,” the statement concludes.
Tech companies argue that end-to-end encryption protects users’ privacy rights, and it to weaken it — by creating a so-called ‘backdoor’ that would allow the authorities to look at messages — would put all sorts of private communications at risk from hackers and force them to decide whether to hand over messages to oppressive regimes. End-to-end encryption makes the tech companies’ lives easier, and also allows them to claim the moral high-ground when it comes to privacy.
So it there anything new in this? Governments have been half-heartedly trying to refight the cryptowars for years now, with little success — largely because they know that coming up with a fix for this is hard.
They know it’s all but impossible to ban the use of end-to-end encryption. Sure, you could pass laws to ban it, and maybe block encrypted apps from local app stores if they used it, or make it illegal to posses them. But that’s insanely hard to justify and even harder to enforce — even for states like Russia, which have tried to ban encrypted services.
And even if you did go for a ban, organised crime would simply get hold of encryption on the black market or from abroad, and would be just as well-protected as ever. But the average person on the street would be unable to access strong encryption, and would be more at risk of hacking as a result.
A policy that makes the average person less secure, while doing little to tackle the real problem, seems unlikely to gain much support. Imagine being the politician who has to explain to the country that their data has just been scooped up by a foreign power as a result.
The UK’s GCHQ has come up with an idea called ‘ghost protocol’, which would add the government as a secret eavesdropper into every call. But although GCHQ’s scheme has technical merit, if tech companies said ‘yes’ to one agency they would struggle to exclude others — that chat with your mates about what to watch on Netflix could quickly become crowded with spies from around the world.
That’s because governments will inevitably over-reach and use such powers to increase their general surveillance. It’s worth remembering that many of these tech companies introduced end-to-end encryption precisely because governments were cheerfully snooping on everyone’s conversations in the first place. Many would say it’s brazen of governments to now ask us to trust them again.
A new approach
So what’s going on here? Adding two new countries — Japan and India — the statement suggests that more governments are getting worried, but the tone is slightly different now. Perhaps governments are trying a less direct approach this time, and hoping to put pressure on tech companies in a different way.
“I find it interesting that the rhetoric has softened slightly,” says Professor Alan Woodward of the University of Surrey. “They are no longer saying ‘do something or else'”. 
What this note tries to do is put the ball firmly back in the tech companies’ court, Woodward says, by implying that big tech is putting people at risk by not acceding to their demands — a potentially effective tactic in building a public consensus against the tech companies.
SEE: Network security policy (TechRepublic Premium)
“It seems extraordinary that we’re having this discussion yet again, but I think that the politicians feel they are gathering a head of steam with which to put pressure on the big tech companies,” he says.
Even if police and intelligence agencies can’t always get encrypted messages from tech companies, they certainly aren’t without other powers. The UK recently passed legislation giving law enforcement wide-ranging powers to hack into computer systems in search of data.
So will governments find more success with their new softer approach? In the short term, probably not. End-to-end encryption creates real and tragic problems for police and the victims of crime, yet governments have not made a decent case for making us all less secure in response to those problems. Still, governments are increasingly conscious of the impact of big tech companies, and are increasingly willing to take them on. It may only take a few high-profile situations where strong encryption prevents a terrible crime from being stopped or investigated, for governments to think that public opinion can be shifted in their direction.
ZDNET’S MONDAY MORNING OPENER
The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.
PREVIOUSLY ON MONDAY MORNING OPENER: More

As part of the October 2020 Patch Tuesday security updates, Microsoft has added a new option to Windows to let system administrators disable the JScript component inside Internet Explorer.
The JScript scripting engine is an old component that was initially included with Internet Explorer 3.0 in 1996 and was Microsoft’s own dialect of the ECMAScript standard (the JavaScript language).
Development on the JScript engine ended, and the component was deprecated with the release of Internet Explorer 8.0 in 2009, but the engine remained in all Windows OS versions as a legacy component inside IE.
Across the years, threat actors realized they could attack the JScript engine, as Microsoft wasn’t actively developing it and only rarely shipped security updates, usually only when attacked by threat actors.
CVE-2018-8653, CVE-2019-1367, CVE-2019-1429, and CVE-2020-0674 are some of the recent JScript zero-days that Microsoft had to deal with over the past three years.
All were bugs exploited by nation-state actors, for which Microsoft had to hurry to ship patches [1, 2]. Once patched, proof-of-concept code was also published on GitHub, and these vulnerabilities also quickly entered the arsenal of exploit kit developers [1, 2].
Now, 11 years after deprecating the component, Microsoft is finally giving system administrators a way to disable JScript execution by default.
According to Microsoft, the October 2020 Patch Tuesday introduces new registry keys that system administrators can apply and block the jscript.dll file from executing code.
Details on how this can be done are available below, as taken from Microsoft’s documentation.
Click Start, click Run, type regedt32 or regedit, and then click Ok.
To disable JScript execution in Internet Zone, locate the following registry subkey in Registry Editor:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZones3140DTo disable JScript execution in Restricted Sites Zone, locate the following registry subkey in Registry Editor:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZones4140D
Right-click the appropriate registry subkey, and then click Modify.
In the Edit DWORD (32-bit) Value dialog box, type 3.
Click OK, and then restart Internet Explorer. More

Cyber resilience needs to be part of a coherent “all vectors and all sectors” approach to national security, according to Mike Pezzullo, Secretary of Australia’s Department of Home Affairs.
National security itself also needs to be discussed more broadly, he said. Not everything should become a national security problem, but he does believe in a whole-of-society approach to fostering resilience.
“I am in favour … of emphasising concepts such as ‘self-reliance’ and ‘sovereign capability’ in national policy discourse, which would require the closer integration of security, economic, and social policy,” Pezzullo told the National Security College in Canberra last week.
“We should logically separate the ‘vector’ — whether it be an invading army, an enemy fleet, terrorists, saboteurs, cyber hackers, violent criminals, extreme weather events, or a global pandemic, and so on — from the ‘sectors’ of society and the economy which are likely to be impacted, and which will need to be defended, mobilised, and/or remediated,” he said.
“Relatedly, the logic and language of war in security thinking should be reduced to its proper and legitimate place, which is to say the field of armed conflict — where it has enough to do.”
Pezzullo’s speech cited five centuries of political philosophy, among other things, to outline a conceptual framework for national security.
“Security is a means to an end. Its effects enable the pursuit of happiness and prosperity, which are the greater ends,” he said.
“If one were to construct a national risk register, it would be immediately apparent that some are not ‘national security’ issues at all.”
The speech also extended on Pezzullo’s speech from March 2019, “Seven Gathering Storms — National Security in the 2020s”, by listing an even greater range of potential risks that might arise in the coming century through to 2120.
Too long to include here, the list included: A Great Power war that might even go nuclear; weapons of mass destruction used outside a nation-state conflict; terrorism and politically-motivated violence; massive economic damage by transnational criminal networks; supply chain risks; a global pandemic; “the adverse consequences of advanced technology, especially artificial intelligence and synthetic biology”; natural disasters; and much more.
“This is an apocalyptic list to be sure,” he said.
“Indeed, in relation to ways in which humanity might become extinct you will find arguable cases for the following scenarios, amongst others: A deliberately released, humanity-killing synthetic virus; super volcanic eruptions which block the Sun; the Terminator AI threat; a nuclear apocalypse; and, yes, the killer asteroid.”
To face these risks, Pezzullo put forward the concept of an “extended state”, which he described as a “networked and dynamic conception of security which comprehends sectors across society and the economy”.
This extended state would include the “entire apparatus” of the Australian government, not just the core agencies. It would convene and coordinate activities with the state, territory, and local governments, and beyond.
That includes “the business sector, including finance and banking; food and groceries; health and medical services; transport, freight and logistics; water supply and sanitation; utilities, energy, fuel, telecommunications; the scientific and industrial research establishment; as well as non-for-profit and community organisations, including charities; and households as might be required”.
It is the extended state that needs to respond to these vectors of risk, according to Pezzullo.
Such systems were built for counterterrorism (CT), for example, especially after the 9/11 terrorist attacks in 2001.
“The states and territories and others all had to mobilise around the prospect of mass-casualty attacks. We built a lot of depth and ballast in our CT arrangements, and they’ve been honed over about 20 years,” Pezzullo said.
“They are fit for purpose for that vector and sector problem. They are not necessarily easily replicated [for other matters].”
A more recent example is Australia’s response to the COVID-19 pandemic, where coordination between governments was established differently in the rapidly-established National Cabinet.
“Let’s not reinvent the wheel in relation, for instance, to cyber resilience,” Pezzullo said.
“States and territories and indeed municipal governments… hold a lot of data. They manage a lot of sensitive networks, either directly or by way of infrastructure that they license through state utility arrangements and the like,” he said.
“Don’t just have a [single] sector response to a vector problem.”
Home Affairs isn’t ‘tyrannical’ or ‘despotic’
Pezzullo responded to an audience question about authoritarianism and state secrecy by referring to the recent Parliamentary Joint Committee on Intelligence and Security (PJCIS) inquiry into the impact of the exercise of law enforcement and intelligence powers on the freedom of the press.
“Let’s have a sensible discussion,” he said.
“Let’s just be open and upfront that the notion that somehow the colleagues that I’ve just identified [in law enforcement and intelligence], myself included, are tyrannical, despotic, you know, plotting behind closed doors to oppress the Australian population were it only for, you know, the altruistic fourth estate [the media], is frankly just an exaggeration, a caricature, and a trope.”
Agencies are under “Royal Commission-level coercive oversight every day” and that’s “liberating”, according to Pezzullo.
“You know what the rules are. A royal commissioner could roll into my organisation, into anything we’re doing, at any time, and out whatever they want,” he said.
“And that’s frankly liberating because you go, ‘Yep’, you’ve got that self-restraining, self-censoring idea of you’ve got to do the right thing anyway and, if you don’t, you’re going to get caught anyway.”
Pezzullo was speaking off the cuff so to be fair, one shouldn’t parse these comments too finely.
Nevertheless, your correspondent still wonders whether “Don’t do bad things because you might get caught” is the best way to portray an organisational culture.
It’s also unclear how this squares with the evidence given to Senate Estimates on Monday, where he was asked about the alleged cash-for-visa scheme that is currently being investigated by the NSW Independent Commission Against Corruption (ICAC).
When asked how the matter being investigated by ICAC sat when compared to the incidents seen within Home Affairs, Pezzullo said that “we see lots of things in the department”.
“In fact, we see highly organised criminality. We see the loosely organised or casual opportunistic criminality. We see inadvertent either criminality or civilly sanctionable activity,” he said.
“It’s a constant enforcement and compliance activity.”
Yet compliance hasn’t always been Home Affairs’ top strength.
An example of this was seen in February this year, when Home Affairs was savaged by PJCIS for its poor oversight of data retention laws. Also in the Home Affairs portfolio, Australian Federal Police officers were found in 2017 to have not fully appreciated their responsibilities in relation to those laws.   
SEE ALSO More

Australian gas producer Kleenheat has warned a number of its customers about a data breach that may have resulted in information such as name and address being exposed.
The Perth-based retailer and distributor believes the breach occurred in 2014 on a third-party system. ZDNet understands that system is no longer in use.
“The potential disclosure was recently identified by Kleenheat during a routine data security check, and did not occur within Kleenheat’s internal systems,” the company wrote in an email to customers.
Kleenheat referred to data at potential risk as being “general contact information”, confirming that it included name, residential address, and email address. It “reassured” phone number, date of birth, or bank, credit card, and account details were not breached.
“As soon as we identified the issue, we moved quickly to secure the information and we are not aware of any associated malicious activity,” Kleenheat added.
“Please be assured that we will continue to monitor for any potential suspicious activity in our systems.”
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia
ZDNet understands only affected customers received the notification.
The company said it has been in contact with relevant authorities, such as reporting the incident to the Office of the Australian Information Commissioner.
RELATED COVERAGE More

The Australian government has provided more details on its plan to develop a whole-of-government platform, called Permissions Capability, which it expects to use for delivering Commonwealth digital services that require permissions.
Speaking on Monday during Senate Estimates, Secretary of the Department of Home Affairs Mike Pezzullo explained that the government envisions Permissions Capability would be used for government services such as visas, import and export permits, licences, accreditation, declarations, and registrations.
“Future use cases, subject to government approval, could include employment suitability clearances, the licencing of companies to import and sell illicit tobacco along with associated compliance measures to illicit tobacco, police checks, permits to import and export certain goods, Australian government security accreditation, for example, an aviation security identification card or ASIC, as well as complex visa products,” he said.
The federal government first signalled plans about building its permissions platform back in July. 
The first cab off the rank for this new system would be the development of a Digital Passenger Deceleration (DPD), which is set to replace the existing manually processed, paper-based incoming passenger card and separate COVID-19 health declaration.
According to the government, through the DPD, Australian-bound travellers would be able to provide their incoming passenger information via their mobile device or computer, while also allow certified COVID vaccination certifications to be digitally uploaded and connected if and when they become available.
Read: Why Australia is quickly developing a technology-based human rights problem (TechRepublic)  
Acting Minister for Immigration, Citizenship, Migrant Services and Multicultural Affairs Alan Tudge and Minister for Government Services Stuart Robert jointly said the DPD would enable information to be collected and shared more efficiently, while still allowing it to use the same authority for collection.
“Currently, the government collects a range of passenger information, including contact details, customs, and biosecurity information from citizens and non-citizens entering Australia using a manual, paper-based process,” Tudge said.
“This new capability will strip away the need to scan paper cards. It will facilitate data sharing between state and territory health departments and enable swift verification of information provided by passengers.
“In the future, collection and verification of information will assist in managing risk at the international border when international travel returns.”
Tudge touted it would also streamline the national response to COVID-19 contact tracing by speeding up information collection and processing.
The unveiling of plans to simplify COVID-19 contact tracing at airports coincided with the New South Wales government announcing that passengers could now use the Service NSW app to check-in for contact tracing at Sydney Airport by scanning a unique QR code located at domestic and international terminals. The app automatically captures the date, time, and location of the check-in, which is stored as data for 28 days solely for the purpose of contact tracing before being deleted.
Additionally, the federal government outlined in its Permission Capability information paper [PDF] that it would develop what it has dubbed as a “simple” digital visa product as part of the initial phase for delivering its Permission Capability.
The simple visa product would include a digital application that would be made available for non-citizen travellers who meet certain visa criteria. It would also be used to integrate multiple visas on the new system when they become digitised, as well as streamline the application process, and facilitate visa holders’ movement through international borders.
Earlier this year, the federal government terminated its contentious request for tender process for its proposed Global Digital Platform (GDP).
The Department of Immigration and Border Protection — now Home Affairs — went to tender initially in September 2017, seeking a provider to design, implement, and operate a new visa business.
At the time, it was explained that the new visa business would be outsourced to another party that would be charged with processing visa applications.
In 2018, a request for tender was published and quickly removed. It called for a private company to own and operate Australia’s visa processing system for a period of 10 years.
Read more: Public Sector Union launches campaign against visa privatisation ‘data security risk’
After admitting that privatising Australia’s visa processing system was not the best idea, the government announced it would take a “broad new policy approach” by acquiring and delivering workflow processing capability within the Department of Home Affairs and other areas across government.
“The government will implement modern, easy to access, digital services for clients,” Tudge said at the time. “This approach seeks integrated enterprise-scale workflow processing capability that could be utilised across the Commonwealth.
“Key to this is recognising the efficiencies that can be generated from large-scale government investment in technology and the re-use of capability across government.”
The Department of Home Affairs spent just shy of AU$92 million for design and procurement on the binned GDP project. Of that amount, AU$24 million was spent on the co-design and development of business requirements; AU$32 million on the GDP request for tender processes, probity, legal, and assurance; AU$18 million on departmental IT readiness; and AU$17 million on development of Business Rules.
Another AU$65 million was spent on external contracts on the proposed GDP, the department revealed in May in response to questions on notice from Senate Estimates held in early March. Boston Consulting Group walked away with AU$43.5 million and KPMG with nearly AU$8 million.
See also: Australian government is currently juggling 62 high-cost IT projects 
During Senate Estimates on Monday, Home Affairs First Assistant Secretary Stephanie Cargill revealed that government had set aside an initial AU$74.9 million to begin building the base Permission Capability in 2021, which includes delivering the DPD and the simple digital visa product.
Off the back of that response, Senator Kristina Keneally scorned the government for not prioritising the modernisation of the country’s existing visa system, as part of the recent federal 2020-21 Budget. 
“I’m trying to understand how we’ve come to a point where you’ve spent AU$91 million on the visa privatisation that was then dumped in March, and now we’ve only got $74 million for simple visas, and yet experts say it’s going to take, again, another billion-dollar to rebuild the visa processing system,” she said.
“You’ve even agreed there were warning bells that have been going up since 2017. So, how do we have a Budget that has got a trillion dollars of debt, but yet has so little money allocated for … a visa system that is failing?”
An open market request for tender to build and deliver the DPD and simple digital visa product will be issued before the end of October, the Department of Home Affairs said.
Related Coverage More

Image: cattu
US political candidates use psychological tricks and dark patterns in their emails to manipulate supporters to donate money and mobilize voters.
In a study published earlier this month, academics from Princeton University said they analyzed more than 100,000 emails sent by candidates in federal and state races as well as Political Action Committees (PACs), Super PACs, political parties, and other political organizations.
The emails were collected as part of a research project that began in December 2019. Emails are still being collected today, with the research team planning to make all the data public after the US fall election cycle.
More than 280,000 emails from more than 3,000 senders were collected to date.
“Our corpus has two orders of magnitude more emails than the largest corpus of election-related emails previously analyzed in the academic literature,” the Princeton researchers said.
But while the full data will be made available in full in November, earlier this month, the research team also published a paper [PDF] containing the results of a preliminary analysis of the first 100,000 emails they collected, from December 2, 2019, up to June 25, 2020.
These days, most campaign emails are akin to spam, so most email users are already familiar with their content and purpose. Most campaigns struggle to get users to even open the emails, let alone read or take action — like sign up for rallies, go vote, or donate funds.
The Princeton research team said the purpose of their research was to identify manipulative tactics and dark patterns used by political campaigns over the past year to get recipients to, at least, open their emails.
Six were identified, researchers said. These included: 
Forward referencing or information withholding – Using subject lines like “bumping this for you” or “let’s prove him wrong,” which are generic enough to get users to open the email and investigate.
Sensationalism – Emails with classic clickbaity subject lines like “(no!) Mark Kelly SLANDERED!” and “HUGE ANNOUNCEMENT.”
Urgency – Emails with countdown timers, fake deadlines, or fake goals, using subject lines and phrases like “April Deadline (via Team Graham)” or “1 huge goal, 1 last chance to help reach it!”
Obscured names – Emails were the senders obscured their identity, making it impossible for the recipient to learn who sent the email without opening it first.
Ongoing thread – Emails where the sender modified their name into patterns like “John, me (2)” to trick users into thinking they already replied to the email, and this is an ongoing conversation.
Abuse of Re: / Fwd: – Emails where senders abused the “Re” and “Fwd” terms in subject lines to trick users into thinking the email was a reply or forwarded message.

According to the researchers, the typical campaign used at least one of these tactics in about 43% of the emails they sent. Even if campaigns didn’t use these tactics on a regular basis, researchers said that 99% use them at least occasionally.
The Princeton academics said they looked into campaign emails because “manipulative political discourse undermines voters’ autonomy, generates cynicism and thus threatens democracy” and “distorts political outcomes by advantaging those who are skilled at deploying technological tricks, triggering a race to the bottom.”
A website has also been set up where anyone can search through the email corpus, either by sender name or keywords. The website is updated daily with new emails.
“We hope that our corpus will be useful for studying a wide array of traditional political science questions,including how candidates represent themselves to their would-be constituents, how and when campaigns go negative, and what tactics campaigns and organizations use to raise money and mobilize voters,” researchers said. More

Three JavaScript packages have been removed from the npm portal on Thursday for containing malicious code.
According to advisories from the npm security team, the three JavaScript libraries opened shells on the computers of developers who imported the packages into their projects.

techrepublic cheat sheet

The shells, a technical term used by cyber-security researchers, allowed threat actors to connect remotely to the infected computer and execute malicious operations.
The npm security team said the shells could work on both Windows and *nix operating systems, such as Linux, FreeBSD, OpenBSD, and others.
Packages were live for almost a year
All three packages were uploaded on the npm portal almost a year ago, in mid-October 2019. Each package had more than 100 total downloads since being uploaded on the npm portal. The packages names were:
“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer,” the npm security team said.
“The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,” they added.
Npm’s security staff regularly scans its collection of JavaScript libraries, considered the largest package repository for any programming language.
While malicious packages are removed on a regular basis, this week’s enforcement is the third major crackdown in the last three months.
In August, npm staff removed a malicious JavaScript library designed to steal sensitive files from an infected users’ browser and Discord application.
In September, npm staff removed four JavaScript libraries for collecting user details and uploading the stolen data to a public GitHub page. More