The malware continuously monitors its access to GitHub (for exfiltration) and npm (for propagation). If an infected system loses access to both channels simultaneously, it triggers immediate data destruction on the compromised machine. On Windows, it attempts to delete all user files and overwrite disk sectors. On Unix systems, it uses shred to overwrite files before deletion, making recovery nearly impossible.

shred is intended to overwrite the actual on-disk contents by overwriting data in the file prior to unlinking the files. However, shred isn’t as effective on journalled filesystems, because writing in this fashion doesn’t overwrite the contents on-disk like this. Normally, ext3, ext4, and btrfs are journalled. Most people are not running ext2 in 2025, save maybe on their /boot partition, if they have that as a separate partition.

I’m not familiar with it, but relevant context:

https://en.wikipedia.org/wiki/SQRL

Fina CA, for its part, said in a short email that the certificates were “issued for internal testing of the certificate issuance process in the production environment. An error occurred during the issuance of the test certificates due to incorrect entry of IP addresses. As part of the standard procedure, the certificates were published on Certificate Transparency log servers.”

So does that mean Fina did nothing wrong?

No. Fina never had Cloudflare’s permission to issue certificates for an IP it controls. Consent of the owning party is a cardinal rule that Fina didn’t follow.

What are TLS certificates? How do they work?

In short, these certificates are the only thing ensuring that gmail.com, bankofamerica.com, or any other website is controlled by the entity claiming ownership. By now, many Internet users know they should only trust a website when its real domain name appears correctly in the address bar and is accompanied by the HTTPS label.

considers

Hmm. Maybe the certificate validation process should be changed to require that two CAs sign off on a certificate chain, to eliminate that single point of failure. Or maybe software should require that just for certain security-sensitive identities, and there be a decision to designate certain TLDs or IP ranges or whatever as requiring an additional root. That obviously doesn’t magically resolve all potential certificate issues, but it does mean that a single error can’t create the potential to open the floodgates like this.