Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
github.com/jackc/pgconn
This version is used with pgx v4
. In pgx v5
it is part of the https://github.com/jackc/pgx repository.
Package pgconn is a low-level PostgreSQL database driver. It operates at nearly the same level as the C library libpq. It is primarily intended to serve as the foundation for higher level libraries such as https://github.com/jackc/pgx. Applications should handle normal queries with a higher level library and only use pgconn directly when required for low-level access to PostgreSQL functionality.
pgConn, err := pgconn.Connect(context.Background(), os.Getenv("DATABASE_URL"))
if err != nil {
log.Fatalln("pgconn failed to connect:", err)
}
defer pgConn.Close(context.Background())
result := pgConn.ExecParams(context.Background(), "SELECT email FROM users WHERE id=$1", [][]byte{[]byte("123")}, nil, nil, nil)
for result.NextRow() {
fmt.Println("User 123 has email:", string(result.Values()[0]))
}
_, err = result.Close()
if err != nil {
log.Fatalln("failed reading result:", err)
}
The pgconn tests require a PostgreSQL database. It will connect to the database specified in the PGX_TEST_CONN_STRING
environment variable. The PGX_TEST_CONN_STRING
environment variable can be a URL or DSN. In addition, the standard PG*
environment variables will be respected. Consider using direnv to simplify
environment variable handling.
Connect to your PostgreSQL server and run:
create database pgx_test;
Now you can run the tests:
PGX_TEST_CONN_STRING="host=/var/run/postgresql dbname=pgx_test" go test ./...
Pgconn supports multiple connection types and means of authentication. These tests are optional. They
will only run if the appropriate environment variable is set. Run go test -v | grep SKIP
to see if any tests are being
skipped. Most developers will not need to enable these tests. See ci/setup_test.bash
for an example set up if you need change
authentication code.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.