Research
Recent Trends in Malicious Packages Targeting Discord
The Socket research team breaks down a sampling of malicious packages that download and execute files, among other suspicious behaviors, targeting the popular Discord platform.
Package description
The 'd' npm package is a utility for defining property descriptors for JavaScript objects. It is often used to create properties with specific characteristics such as being non-enumerable, writable, or configurable, and can be used in object property definition contexts where you want more control over how properties behave.
Defining non-enumerable properties
This code sample demonstrates how to define a non-enumerable property 'foo' with the value 'bar'. The property will not show up in for-in loops or Object.keys() calls.
{"foo": d('bar')}
Defining writable and configurable properties
This code sample shows how to define a property 'foo' that is both writable and configurable with the value 'bar'. This means the property value can be changed and the property descriptor can be modified after the initial definition.
{"foo": d(true, 'bar')}
Defining a getter and setter
This code sample illustrates defining a property 'foo' with a getter and setter function. The getter function returns the value of '_foo', and the setter function assigns the new value to '_foo'.
{"foo": d.gs(function() { return this._foo; }, function(value) { this._foo = value; })}
This is not an npm package but a built-in JavaScript method that allows similar functionality to 'd'. It defines a new property directly on an object, or modifies an existing property on an object, and returns the object. The 'd' package provides a more concise and chainable API compared to the verbose syntax of Object.defineProperty.
The 'define-property' npm package is similar to 'd' in that it is used to define a new property on an object with a given descriptor. It is a simpler and smaller utility that might be preferred for its minimalistic approach, but 'd' offers a more fluent and feature-rich API.
Readme
Originally derived from es5-ext package.
Defining properties with descriptors is very verbose:
var Account = function () {};
Object.defineProperties(Account.prototype, {
deposit: { value: function () {
/* ... */
}, configurable: true, enumerable: false, writable: true },
withdraw: { value: function () {
/* ... */
}, configurable: true, enumerable: false, writable: true },
balance: { get: function () {
/* ... */
}, configurable: true, enumerable: false }
});
D cuts that to:
var d = require('d');
var Account = function () {};
Object.defineProperties(Account.prototype, {
deposit: d(function () {
/* ... */
}),
withdraw: d(function () {
/* ... */
}),
balance: d.gs(function () {
/* ... */
})
});
By default, created descriptor follow characteristics of native ES5 properties, and defines values as:
{ configurable: true, enumerable: false, writable: true }
You can overwrite it by preceding value argument with instruction:
d('c', value); // { configurable: true, enumerable: false, writable: false }
d('ce', value); // { configurable: true, enumerable: true, writable: false }
d('e', value); // { configurable: false, enumerable: true, writable: false }
// Same way for get/set:
d.gs('e', value); // { configurable: false, enumerable: true }
$ npm install d
To port it to Browser or any other (non CJS) environment, use your favorite CJS bundler. No favorite yet? Try: Browserify, Webmake or Webpack
Define methods which will be automatically bound to its instances
var d = require('d');
var autoBind = require('d/auto-bind');
var Foo = function () { this._count = 0; };
Object.defineProperties(Foo.prototype, autoBind({
increment: d(function () { ++this._count; });
}));
var foo = new Foo();
// Increment foo counter on each domEl click
domEl.addEventListener('click', foo.increment, false);
Define lazy properties, which will be resolved on first access
var d = require('d');
var lazy = require('d/lazy');
var Foo = function () {};
Object.defineProperties(Foo.prototype, lazy({
items: d(function () { return []; })
}));
var foo = new Foo();
foo.items.push(1, 2); // foo.items array created and defined directly on foo
$ npm test
FAQs
Property descriptor factory
We found that d demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
The Socket research team breaks down a sampling of malicious packages that download and execute files, among other suspicious behaviors, targeting the popular Discord platform.
Security News
Socket CEO Feross Aboukhadijeh joins a16z partners to discuss how modern, sophisticated supply chain attacks require AI-driven defenses and explore the challenges and solutions in leveraging AI for threat detection early in the development life cycle.
Security News
NIST's new AI Risk Management Framework aims to enhance the security and reliability of generative AI systems and address the unique challenges of malicious AI exploits.