Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
github.com/vincent-petithory/dataurl
This package parses and generates Data URL Schemes for the Go language, according to RFC 2397.
Data URLs are small chunks of data commonly used in browsers to display inline data, typically like small images, or when you use the FileReader API of the browser.
Common use-cases:
string
, []byte
, io.Reader
for inclusion in HTML templates,Install the package with:
go get github.com/vincent-petithory/dataurl
package main
import (
"github.com/vincent-petithory/dataurl"
"fmt"
)
func main() {
dataURL, err := dataurl.DecodeString(`data:text/plain;charset=utf-8;base64,aGV5YQ==`)
if err != nil {
fmt.Println(err)
return
}
fmt.Printf("content type: %s, data: %s\n", dataURL.MediaType.ContentType(), string(dataURL.Data))
// Output: content type: text/plain, data: heya
}
From a http.Handler
:
func handleDataURLUpload(w http.ResponseWriter, r *http.Request) {
dataURL, err := dataurl.Decode(r.Body)
defer r.Body.Close()
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
if dataURL.ContentType() == "image/png" {
ioutil.WriteFile("image.png", dataURL.Data, 0644)
} else {
http.Error(w, "not a png", http.StatusBadRequest)
}
}
For convenience, a dataurl
command is provided to encode/decode dataurl streams.
dataurl - Encode or decode dataurl data and print to standard output
Usage: dataurl [OPTION]... [FILE]
dataurl encodes or decodes FILE or standard input if FILE is - or omitted, and prints to standard output.
Unless -mimetype is used, when FILE is specified, dataurl will attempt to detect its mimetype using Go's mime.TypeByExtension (http://golang.org/pkg/mime/#TypeByExtension). If this fails or data is read from STDIN, the mimetype will default to application/octet-stream.
Options:
-a=false: encode data using ascii instead of base64
-ascii=false: encode data using ascii instead of base64
-d=false: decode data instead of encoding
-decode=false: decode data instead of encoding
-m="": force the mimetype of the data to encode to this value
-mimetype="": force the mimetype of the data to encode to this value
Feel free to file an issue/make a pull request if you find any bug, or want to suggest enhancements.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.