Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
github.com/nova-video-player/aos-avp
NOVA is an open source video player for Android. It consists in a fork of the original Archos Video Player Community Edition that is hosted here: https://github.com/archos-sa/aos-AVP intended to support new features.
Before asking any question please make sure that you have read the application FAQ.
This is the entry point repo. Its purpose is to provide the manifest to fetch all needed git repos with sources and then bootstrap the build environment.
More interesting sources can be found there:
For the full list, please look at this manifest https://github.com/nova-video-player/aos-AVP/default.xml
Get the repo tool, then type:
mkdir aos; cd aos
repo init -u https://github.com/nova-video-player/aos-AVP -b nova
repo sync -j4
repo forall -c 'git checkout -t $REPO_REMOTE/$REPO_RREV'
make
Alternatively, for those not under Linux with a properly installed Android SDK/NDK, you can launch the video player build through:
cd Video
./gradlew -Puniversal assembleNoamazonRelease
In order to speed up the build, build is performed using dav1d, ffmpeg and other pre-built binaries and using local git clone of ffmpeg and dav1d repos. In order to trigger full update rebuild, you need in case of version upstep to manually do:
rm -rf native/torrentd/libs
cd native/dav1d-android-builder; git clean -fdx; rm -rf built-*
cd native/ffmpeg-android-builder; git clean -fdx; rm -rf dist-*
Note that the following packages are required to build:
sudo curl https://storage.googleapis.com/git-repo-downloads/repo > /usr/local/bin/repo
sudo chmod a+x /usr/local/bin/repo
sudo apt install build-essential python3 python3-pip python3-setuptools ninja-build maven file wget curl unzip git pkg-config meson nasm openjdk-17-jdk-headless openjdk-8-jdk-headless
Alternatively, you can use the provided docker image to build nova:
cd nova/AVP/docker
docker build -t nova .
docker run --rm -ti --entrypoint=/bin/bash nova
make
Github workflow build configuration file is also provided here
Binaries prebuilt of torrentd, ffmpeg, dav1d have been committed in order to reduce compilation time and remove nasm, meson dependencies. If you need to regenerate torrentd, ffmpeg and dav1d libs, please run make clean_prebuilt
.
The compiled application is available for installation on:
But for me the best way to get the latest nova video player apk is through obtainium which I recommend to use.
Scraping and scrobbling features rely on external services such as TMDb and Trakt.
In order to enable NOVA video player to perform these tasks, you need to register to this services and enable the API and inject the corresponding keys inside the following files: MediaLib/src/community/res/values/donottranslate.xml replacing the fake values below:
<?xml version="1.0" encoding="utf-8"?>
<resources xmlns:android="http://schemas.android.com/apk/res/android">
<string name="tmdb_api_key">0123456789abcdef0123456789abcdef</string>
<string name="trakt_api_key">0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef</string>
<string name="trakt_api_secret">0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef</string>
</resources>
Please note that enabling TMDB API registration can be completed following this link.
To create a Trakt api, first register to trakt then add a new app here.
Redirect URI should be http://localhost and be aware to grant all permissions.
You are welcome to contribute to the translation of the application using crowdin platform here.
Any contribution to show your gratitude and appreciation is always welcome, keeping the small team of developers working on their personal time motivated and aware that their dedication means something.
If you are up for it, please use any of the following links to make a donation: paypal, liberapay, github sponsor and opencollective.
Funds collected are essentially used to buy devices on which problems are reported for analysis and fix in order to cope with Android fragmentation.
Please bear in mind that the work carried out here results from a small community effort done with good will on scarce personal time. If need be, we might in the future introduce some extra bounty programs for specific feature development requests.
NovaVideoPlayer reddit community community is used as the support community for the Nova Video Player application. It is possible to chat with Nova Video Player developers on #novavideoplayer liberachat IRC channel.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.