Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
github.com/m-lab/tcp-info
The tcp-info
tool executes a polling loop that tracks the measurement statistics of every open TCP socket on a system. Data is written, in JSONL
format (refered to internally as ArchivedRecord), to files compressed using zstd
. This tool forms the basis of a lot of measurements on the Kubernetes-based Measurement Lab platform.
We expect most people will run this tool using a docker container. To invoke, with data written to ~/data, and prometheus metrics published on port 7070:
docker run --network=host -v ~/data:/home/ -it measurementlab/tcp-info -prom=7070
This repository uses the netlink API to collect inet_diag messages, partially parses them, and caches the intermediate representation. It then detects differences from one scan to the next, and queues connections that have changed for logging. It logs the intermediate representation through external zstd processes to one file per connection.
The previous version uses protobufs, but we have discontinued that largely because of the increased maintenance overhead, and risk of losing unparsed data. Instead, we are now using ArchivedRecord which is partially parsed netlink messages, mostly in base64 encoded blobs, marshaled to JSONL format, with one JSON object per line.
To run the tests or the collection tool, you will also require zstd, which can be installed with:
bash <(curl -fsSL https://raw.githubusercontent.com/horta/zstd.install/master/install)
OR
sudo apt-get update && sudo apt-get install -y zstd
The tcp-info eventsocket interface allows sidecar services to receive "open" and
"close" events on a unix domain socket connection. A simple reference
implementation cmd/example-eventsocket-client
can be started using
docker-compose
.
docker-compose up
New TCP events are processed by the example-eventsocket-client
sidecar and
logged to stderr. You may trigger a TCP connection from within the TCPINFO
container using a command like:
docker exec -it tcp-info_tcpinfo_1 wget www.google.com
The cmd/csvtool directory contains a tool for parsing ArchivedRecord and producing CSV files. Currently reads netlink-jSONL from stdin and writes CSV to stdout.
And (almost) all package use metrics.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.