Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
A pluggable slack bot based on Outgoing WebHooks.
First, declare your dependencies
$ mkdir fembot && cd fembot
$ npm init
# ...
$ npm install --save chivebot
# also any additional plugins, e.g.
# $ npm install --save chivebot-weather
# $ npm install --save chivebot-coolfaces
# create the config file
$ touch config.json
# configure server (see below)
$ npm start
Then define a start script in your package.json
"scripts": {
"start": "hapi -c config.json"
}
Then configure your server and plugins.
{
"servers": [
{
"host": "0.0.0.0",
"port": "8000"
}
],
"plugins": {
"chivebot-coolfaces": {},
"chivebot-weather": {},
"chivebot": {
"trigger_word": "my_bot",
"user_name": "my_bot",
"token": "{webhook_token}"
}
}
}
user_name
(String) - The username set for the bot. This is important as it filters messages such that the bot doesn't respond to itself.token
(String) - The outgoing webhook token as provided by slack.trigger_word
(String, optional) - If you configured a trigger word in slack, set it here so the messge text can be parsed correctly.Unfortunately, there's currently a lot of boilerplate with plugins. The simplest example of a plugin module can be found
in chivebot-coolfaces. The important part is that chivebot
exports a
registerCommand
API in which you register the command you want to trigger this plugin, along with the handler:
// When someone types `chivebot lives!` replay with a cool ascii face ᕙ(⇀‸↼‶)ᕗ
plugin.plugins.chivebot.registerCommand('lives!', function (raw, args, cb) {
cb(null, cool());
});
The handler arguments are:
raw
- the raw POST body as sent by Slackargs
- the message, argv parsed. So chivebot activate -c="Hello, world" -b arg2
becomes ['chivebot', 'activate', '-c="Hello, world"', '-b', 'arg2']
which can then be handed off to a parser like minimist
.cb
- the callback for pass back the desired response with the signature function (err, text) {}
FAQs
A slack bot.
We found that chivebot demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.