Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
nstruck.dev/tunnels
A Go application for self-hosting tunnels, similar to cloudflared.
This program basically creates a man-in-the-middle which brokers requests between the client and the Internet. We just forward all the traffic through. This allows the client to have an application facing the Internet without forwarding a port.
You can install the program using go install nstruck.dev/tunnels@latest
.
Now, you can host a server (somewhere open to the Internet) using tunnels server
. Make sure there is config.json
file in the folder the program is ran in.
There is an example server config in example_server_config.json
. In this config,
address
is the address you want to bind the proxy tosubdomain
is the subdomain to issue certificates toemail
is the email used for Let's Encrypt.{
"address": "0.0.0.0:9999",
"subdomain": "proxy.example.org",
"email": "mail@example.org"
}
The server will start and provide an authentication key which you can use to establish a connection with a client.
Once the server is hosted, you can connect to it and proxy a server using the client. Use tunnels client <auth key>
. Make sure there is config.json
file in the folder the program is ran in.
There is an example server config in example_client_config.json
. In this config,
service
is the service you want to forwardserver
is the address and port of the server you hosted.{
"service": "http://localhost:8085",
"server": "0.0.0.0:9999"
}
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.