
Research
/Security News
Toptal’s GitHub Organization Hijacked: 10 Malicious Packages Published
Threat actors hijacked Toptal’s GitHub org, publishing npm packages with malicious payloads that steal tokens and attempt to wipe victim systems.
google.golang.org/api
Supply Chain Security
Vulnerability
Quality
Maintenance
License
Network access
Supply chain riskThis module accesses the network.
Found 2 instances in 2 packages
Uses eval
Supply chain riskPackage uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
Found 2 instances in 2 packages
Shell access
Supply chain riskThis module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.
Found 2 instances in 2 packages
$ go get google.golang.org/api/tasks/v1
$ go get google.golang.org/api/moderator/v1
$ go get google.golang.org/api/urlshortener/v1
... etc ...
and using:
package main
import (
"context"
"net/http"
"google.golang.org/api/urlshortener/v1"
)
func main() {
ctx := context.Background()
svc, err := urlshortener.NewService(ctx)
// ...
}
These are auto-generated Go libraries from the Google Discovery Service's JSON description files.
Due to the auto-generated nature of this collection of libraries they may contain breaking changes from one release to the next. The generator itself and the code it produces are considered beta for this reason.
These client libraries are officially supported by Google. However, the libraries are considered complete and are in maintenance mode. This means that we will address critical bugs and security issues but will not add any new features.
If you're working with Google Cloud Platform APIs such as Datastore or Pub/Sub, please use the Cloud Client Libraries for Go instead. These are the new and idiomatic Go libraries targeted specifically at Google Cloud Platform Services.
By default, each API will use Google Application Default Credentials for authorization credentials used in calling the API endpoints. This will allow your application to run in many environments without requiring explicit configuration.
// import "google.golang.org/api/sheets/v4"
client, err := sheets.NewService(ctx)
To authorize using a JSON key file, pass
option.WithCredentialsFile
to the NewService
function of the desired package. For example:
client, err := sheets.NewService(ctx, option.WithCredentialsFile("path/to/keyfile.json"))
You can exert more control over authorization by using the golang.org/x/oauth2
package to create an oauth2.TokenSource
. Then pass option.WithTokenSource
to the NewService
function:
tokenSource := ...
svc, err := sheets.NewService(ctx, option.WithTokenSource(tokenSource))
For some more information related to all of the generated clients please read through our package documentation.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
Threat actors hijacked Toptal’s GitHub org, publishing npm packages with malicious payloads that steal tokens and attempt to wipe victim systems.
Research
/Security News
Socket researchers investigate 4 malicious npm and PyPI packages with 56,000+ downloads that install surveillance malware.
Security News
The ongoing npm phishing campaign escalates as attackers hijack the popular 'is' package, embedding malware in multiple versions.