We've known all along that the JS Function block was a security hole, but our users are generally well behaved and we're not a bank or anything, so I'm pretty sure this was the first real attack (as opposed to benign practical jokes).
I'm not 100% sure about this, but I think it's unlikely that this program was around long enough to do any significant damage, outside of the perpetrator's school. (That aspect of things is under investigation and not my department.)
But as a result, we now feel a need to close this security hole quickly. Version 6.9 of Snap! disables the JS Function block by default.
Certain Snap! libraries depend on JS Function. We have a plan to solve that problem, but it might be a couple of weeks before it's fully live.
Projects that use JS Function can only be run in the Snap! Editor window (not on the web site, nor in presentation mode), by first enabling JS Function in the settings menu. This setting must be enabled in every session; it can't be stored with a project.
Here's what you'll see when you run a script containing a JS Function:
And here's how to enable JSF:
Sorry for this brouhaha.