
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@canton-network/core-signing-lib
Advanced tools
This library provides:
interface for signing drivers to implement:export interface SigningDriverInterface {
partyMode: PartyMode
signingProvider: SigningProvider
controller: (authContext: AuthContext | undefined) => Methods
}
The controller function should be an implementation of buildController from ./src/rpc-gen/index.ts which takes an optional AuthContext.
To see a simple example of a signing driver, see core/singing-internal.
Other than the optional internalTxId parameter in signTransaction, ALL instances of txId refer to the TransactionID given by the signing provider, not the Wallet Gateway.
While some signing providers allow an external transaction to be stored with the transaction, this cannot be relied upon, therefore in order to lookup specific transactions, the Wallet Gateway must store and use the transaction ID given by the signing provider (which is returned by the signTransaction method).
FAQs
Core library for signing driver implementations
The npm package @canton-network/core-signing-lib receives a total of 68,267 weekly downloads. As such, @canton-network/core-signing-lib popularity was classified as popular.
We found that @canton-network/core-signing-lib demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.