Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
@agoric/captp
Advanced tools
@agoric/captp
A minimal CapTP implementation leveraging Agoric's published modules.
NOTE: myconn
below is not part of the CapTP library, it represents a connection
object that you have created where makeCapTP
is called on both sides of the
connection, passing in the function to send a JSON-able object on the connection, and returning
a dispatch
function to receive a decoded JSON object from the connection.
import { E, makeCapTP } from '@agoric/captp';
// Create a message dispatcher and bootstrap.
// Messages on myconn are exchanged with JSON-able objects.
const { dispatch, getBootstrap, abort } = makeCapTP('myid', myconn.send, myBootstrap);
myconn.onReceive = obj => dispatch(obj);
// Get the remote's bootstrap object and call a remote method.
E(getBootstrap()).method(args).then(res => console.log('got res', res));
// Tear down the CapTP connection if it fails (e.g. connection is closed).
abort(Error('Connection aborted by user.'));
The makeLoopback()
function creates an async barrier between "near" and "far"
objects. This is useful for testing and isolation within the same address
space.
In addition to the normal CapTP facilities, this library also has the notion of "TrapCaps", which enable a "guest" endpoint to call a "host" object (which may resolve an answer promise at its convenience), but the guest synchronously blocks until it receives the resolved answer.
This is a specialized and advanced use case, not for mutually-suspicious CapTP parties, but instead for clear "guest"/"host" relationship, such as user-space code and synchronous devices.
trapHost
and trapGuest
protocol implementation (such as the
one based on SharedArrayBuffers
in src/atomics.js
) to the host and guest
makeCapTP
calls.makeTrapHandler(target)
to mark a target
as synchronous-enabled.Trap(target)
proxy maker much like
E(target)
, but it will return a synchronous result. Trap
will throw an
error if target
was not marked as a TrapHandler by the host.To understand how trapHost
and trapGuest
relate, consider the trapHost
as
a maker of AsyncIterators which don't return any useful value. These specific
iterators are used to drive the transfer of serialized data back to the guest.
trapGuest
receives arguments to describe the specific trap request, including
startTrap()
which sends data to the host to perform the actual work of the
trap. The returned (synchronous) iterator from startTrap()
drives the async
iterator of the host until it fully transfers the trap results to the guest, and
the guest unblocks.
The Loopback implementation provides partial support for TrapCaps, except it cannot unwrap promises. Loopback TrapHandlers must return synchronously, or an exception will be thrown.
FAQs
Capability Transfer Protocol for distributed objects
The npm package @agoric/captp receives a total of 127 weekly downloads. As such, @agoric/captp popularity was classified as not popular.
We found that @agoric/captp demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.