![Malicious npm Package Typosquats react-login-page to Deploy Keylogger](https://cdn.sanity.io/images/cgdhsj6q/production/007b21d9cf9e03ae0bb3f577d1bd59b9d715645a-1024x1024.webp?w=400&fit=max&auto=format)
Research
Security News
Malicious npm Package Typosquats react-login-page to Deploy Keylogger
Socket researchers unpack a typosquatting package with malicious code that logs keystrokes and exfiltrates sensitive data to a remote server.
@any-touch/doubletap
Advanced tools
Readme
双击识别器. 基于@any-touch/tap实现, 是tap的一个特例.
npm i -S @any-touch/doubletap
// 只加载tap识别器(拖拽)
import Core from '@any-touch/core';
import doubletap from '@any-touch/doubletap';
const at = new Core(el);
at.use(doubletap)
// 双击
at.on('doubletap', (event) => {
console.log(event) // 包含点击位置信息
});
因为是基于@any-touch/tap实现的, 所以代码不多, 只是使用beforeEach拦截器.
export default function (at: Core) {
at.use(tap, { name: 'doubletap', tapTimes: 2 });
const doubleTapContext = at.get('doubletap')
let timeID: number;
at.beforeEach((type, next) => {
if ('tap' === type) {
clearTimeout(timeID);
timeID = setTimeout(() => {
if ([STATE.POSSIBLE, STATE.FAILED].includes(doubleTapContext.state)) {
next();
}
}, 300);
} else {
next();
}
});
return doubleTapContext;
}
这里只需要多理解一个概念就是STATE(识别器的状态).
名称 | 解释 |
---|---|
POSSIBLE | 待识别 |
RECOGNIZED | 已识别 |
FAILED | 识别失败 |
识别流程如下, 每次点击屏幕, STATE是"POSSIBLE状态, 识别成功后状态变成"RECOGNIZED", 识别失败变成"FAILED".
特别解释下"FAILED"的发生情况,用doubletap识别器举例, 当2次点击间隔时间过长, doubletap的状态就会变成"FAILED", 当第三次点击的时候状态又变回"POSSIBLE".
如果看懂了双击的逻辑, 那么稍作修改就可以实现"3击".
export default function (at: Core) {
// ⭐只有这一行的tapTimes改成了3
at.use(tap, { name: 'doubletap', tapTimes: 3 });
// 未改动
const doubleTapContext = at.get('doubletap')
let timeID: number;
at.beforeEach((type, next) => {
if ('tap' === type) {
clearTimeout(timeID);
timeID = setTimeout(() => {
if ([STATE.POSSIBLE, STATE.FAILED].includes(doubleTapContext.state)) {
next();
}
}, 300);
} else {
next();
}
});
return doubleTapContext;
}
FAQs
Unknown package
We found that @any-touch/doubletap demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers unpack a typosquatting package with malicious code that logs keystrokes and exfiltrates sensitive data to a remote server.
Security News
The JavaScript community has launched the e18e initiative to improve ecosystem performance by cleaning up dependency trees, speeding up critical parts of the ecosystem, and documenting lighter alternatives to established tools.
Product
Socket now supports four distinct alert actions instead of the previous two, and alert triaging allows users to override the actions taken for all individual alerts.