Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@aduh95/caritat-cli
Advanced tools
The name comes from Marie Jean Antoine Nicolas de Caritat, Marquis of Condorcet, French philosopher and mathematician, notably known for championing an election method that now named after him.
The goal of this project is to allow organisations of people working remotely to cast votes is a secure and transparent way, using a git repository to collect and authenticate votes.
If the vote is setup on a GitHub pull request and you have
gh
locally installed and logged in to your GitHub
account:
npx --package=@aduh95/caritat-cli voteOnGitHub <pr-url>
Otherwise, you can specify the details manually:
npx --package=@aduh95/caritat-cli voteUsingGit \
--repo=<repo-url> --branch=<branch-name> \
--path=<subfolder-where-the-vote-data-is-stored> \
--handle=<your-github-handle>
You can use one of the shell script from the sh/
folder. Requires openssl
(LibreSSL CLI is not compatible) and git
to be available on the local machine.
On a Unix-like OS:
sh/voteUsingGit.sh <your-github-handle> <repo-url> <branch-name> <subfolder-where-the-vote-data-is-stored>
On Windows:
sh/voteUsingGit.ps1 <your-github-handle> <repo-url> <branch-name> <subfolder-where-the-vote-data-is-stored>
Only works for vote that are hosted on a GitHub pull request.
Visit https://stduhpf.github.io/caritat/, paste the URL of the pull request, and create the JSON file containing your encrypted ballot using GitHub web UI.
npx --package=@aduh95/caritat-cli generateNewVoteFolder \
--repo "<repo-url>" --branch "<new-vote-branch-name>" \
--directory "<relative-path-to-new-vote-folder>" \
--subject "Vote subject" \
--candidate "Candidate 1" --candidate "etc." \
--allowed-voter "voter@example.com" --allowed-voter "etc@example.com" \
--shareholder "shareholder@example.com" --shareholder "etc@example.com" \
--shareholders-threshold 2
git
-less setupRequires openssl
(LibreSSL CLI is not compatible), gpg
, and node
.
Use the sh/generateNewVoteFolder.sh
script.
sh/generateNewVoteFolder.sh <path-to-dir>
This will generate three files that will be used to let participants vote. You can then commit those files and push this to a new branch (optionally open the vote pull request). If you are participating to that vote yourself, you should cast your vote right away using one of the methods described above.
You can build your own CLI to interface with Caritat so it's more fitted to your use-case and is more user-friendly.
Since we are using TypeScript, please rely on the type definition for documentation on how to use the API.
When using git, a participant could force push the branch and remove or modify ballots from other participants. Adding protection on the branch on which the vote is happening can help prevent this.
Ballots are encrypted using a public key generated for the vote, only someone in possession for the private key is theoretically able to decipher the ballot. Typically, no one should be in possession of the full private key (although there is no way of ensuring that, see "Who do I need to trust?" section) until the vote closes. Unless the vote needs to stay private, a recommended practice is to publish the vote private key, effectively making everyone's choices public.
Making the non-encrypted ballot available publicly is a great way to ensure the election was not rigged. Everyone can check that the ballot counted as their has not been altered and that the result adds up. It's still possible to not make them public (to keep the vote anonymous), but that requires to trust a single authority (the vote instigator).
Encrypting the ballot is necessary to ensure people voting early do not interfere or influence folks voting after them. At the end of the vote, the the private key can be made public, so anyone can decrypt the ballots and verify the result themself. Or it can decided that the private key won't be shared in order to keep the votes anonymous, and a large enough panel of secret holders (depending on the vote settings) need to share their key parts, decrypt the ballots, and share the vote result without disclosing the content of the ballots.
Voters can sign their commit using PGP. When doing the counting, the system uses the git commit metadata to attribute a ballot to a voter. If a voter casts several ballots, the system only counts the most recent one.
The vote ballots cannot be deciphered, the process needs to start again (unless you have a quantum computer at home to break the RSA encryption).
The license makes no restrictions on how this tool should be used, but keep in mind that, as any electronic voting system, it can only be trusted as long as the unanonymized vote ballots are made public as soon as the vote closes, which may or may not be OK depending on the type of election you are using this for.
FAQs
Unknown package
We found that @aduh95/caritat-cli demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.