Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
@bitgo-forks/bip174
Advanced tools
BitGo's fork of a BIP174 compatible partial Transaction encoding library.
When rebasing this fork on upstream, tag the upstream commit with a base
version that semantic-release should continue from. Eg. upstream v2.1.0
might get
tagged with v3.1.0
, so that semantic-release picks up from v3.1.0-rc.1
.
This library is separate as an attempt to separate Bitcoin specific logic from the encoding format.
I apologize if this library is hard to use. Removing Bitcoin specific logic from "Partially Signed BITCOIN Transaction" format was kind of hard.
combine
has highest priority.In order to keep this library as separate from Bitcoin logic as possible, This library will not implement the following responsibilities. But rather, down the road bitcoinjs-lib will adopt this class and extend it internally to allow for the following:
TransactionFromBuffer
typed function. See ts_src/lib/interfaces.ts
for info on the Transaction
interface and the TransactionFromBuffer
function.Transaction
abstract interface that has an addInput/addOutput method which will be called.const { Psbt } = require('bip174')
const { PsbtTransaction , pTxFromBuffer } = require('./someImplementation')
// Psbt requires a Transaction interface to create an instance, as well as
// A function that turns a buffer into that interface. See Transaction and TransactionFromBuffer
// in ts_src/lib/interfaces.ts ...
// See tests/utils/txTools file for an example of a simple Bitcoin Transaction.
// Also see BitcoinJS-lib for an extended class that uses the Transaction class internally.
// Anyone using this library for Bitcoin specifically should use bitcoinjs-lib
// Your PsbtTransaction will have a toBuffer function to allow for serialization
const tx = pTxFromBuffer(someTransactionBuffer);
const psbt = new Psbt(tx)
// OR
// This will parse the PSBT, and use the function you pass to parse the Transaction part
// the function should throw if the scriptSig section is not empty
const psbt = Psbt.fromBuffer(somePsbtBuffer, pTxFromBuffer)
psbt.addInput({
hash: '865dce988413971fd812d0e81a3395ed916a87ea533e1a16c0f4e15df96fa7d4',
index: 3,
})
psbt.addInput({
hash: 'ff5dce988413971fd812d0e81a3395ed916a87ea533e1a16c0f4e15df96fa7d4',
index: 1,
})
psbt.addOutput({
script: Buffer.from(
'a914e18870f2c297fbfca54c5c6f645c7745a5b66eda87',
'hex',
),
value: 1234567890,
})
psbt.addOutput({
script: Buffer.from(
'a914e18870f2c297fbfca54c5c6f645c7745a5b66eda87',
'hex',
),
value: 987654321,
})
psbt.addRedeemScriptToInput(0, Buffer.from(
'00208c2353173743b595dfb4a07b72ba8e42e3797da74e87fe7d9d7497e3b2028903',
'hex',
))
psbt.addWitnessScriptToInput(0, Buffer.from(
'522103089dc10c7ac6db54f91329af617333db388cead0c231f723379d1b9903' +
'0b02dc21023add904f3d6dcf59ddb906b0dee23529b7ffb9ed50e5e861519268' +
'60221f0e7352ae',
'hex',
))
psbt.addBip32DerivationToInput(0, {
masterFingerprint: Buffer.from('d90c6a4f', 'hex'),
pubkey: Buffer.from(
'023add904f3d6dcf59ddb906b0dee23529b7ffb9ed50e5e86151926860221f0e73',
'hex',
),
path: "m/0'/0'/3'",
})
psbt.addBip32DerivationToInput(0, {
masterFingerprint: Buffer.from('d90c6a4f', 'hex'),
pubkey: Buffer.from(
'03089dc10c7ac6db54f91329af617333db388cead0c231f723379d1b99030b02dc',
'hex',
),
path: "m/0'/0'/2'",
})
const b64 = psbt.toBase64();
FAQs
Fork of bip174 with BitGo specific changes
The npm package @bitgo-forks/bip174 receives a total of 27,154 weekly downloads. As such, @bitgo-forks/bip174 popularity was classified as popular.
We found that @bitgo-forks/bip174 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.