
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@cartel-sh/api
Advanced tools
Shared database package with REST API and SDK for Cartel.
# Install dependencies
bun install
# Copy environment variables
cp .env.example .env
# Edit .env with your database credentials and JWT secret
Create a .env file with the following variables:
# PostgreSQL connection string
DATABASE_URL=postgres://username:password@host:port/database
# JWT Secret for token signing (required, minimum 32 characters)
JWT_SECRET=your-secret-key-minimum-32-characters-change-in-production
# Server port (default: 3003)
PORT=3003
# Root API key (optional)
# This key bypasses database authentication and has full system access
# Use only for administration and emergency access
# API_KEY=your-root-api-key-here
# Development mode with hot reload
bun run server:dev
# Production mode
bun run server
The API server will be available at http://localhost:3003
# Generate migrations
bun run db:generate
# Run migrations
bun run db:migrate
# Push schema changes directly (development)
bun run db:push
# Open Drizzle Studio (database GUI)
bun run db:studio
The API follows OAuth 2.0 patterns with bearer tokens and API keys.
POST /api/auth/verify
X-API-Key: <client-api-key>
Content-Type: application/json
{
"message": "...",
"signature": "0x..."
}
{
"accessToken": "eyJhbGc...",
"refreshToken": "crt_ref_...",
"expiresIn": 900,
"tokenType": "Bearer",
"userId": "...",
"address": "0x..."
}
GET /api/users/me
Authorization: Bearer <access-token>
When access token expires:
POST /api/auth/refresh
Content-Type: application/json
{
"refreshToken": "crt_ref_..."
}
Returns new token pair:
{
"accessToken": "eyJhbGc...",
"refreshToken": "crt_ref_...",
"expiresIn": 900,
"tokenType": "Bearer"
}
API keys are used for:
X-API-Key: cartel_<32-character-key>
API Key Features:
import { CartelClient } from "@cartel/api/client";
// Initialize client
const client = new CartelClient(
"https://api.cartel.sh",
"cartel_your_api_key_here"
);
// Authenticate with SIWE
const auth = await client.verifySiwe(message, signature);
// Tokens are automatically stored and managed
// Make authenticated requests
const user = await client.getCurrentUser();
// Logout (clears tokens)
client.logout();
The SDK provides flexible token storage:
// Browser - uses localStorage by default
const client = new CartelClient(apiUrl, apiKey);
// Node.js - uses in-memory storage by default
const client = new CartelClient(apiUrl, apiKey);
// Custom storage implementation
import { InMemoryTokenStorage } from "@cartel/api/client";
const storage = new InMemoryTokenStorage();
const client = new CartelClient(apiUrl, apiKey, storage);
POST /api/auth/verify - Verify SIWE signature and get tokensPOST /api/auth/refresh - Refresh access tokenGET /api/auth/me - Get current user infoPOST /api/auth/revoke - Revoke all refresh tokensGET /api/users/id/discord/:discordId - Get user ID by Discord IDPOST /api/users/identities/lookup - Lookup user by various identitiesPOST /api/users/identities - Add identity to userDELETE /api/users/identities/:userId/:platform/:identity - Remove identityPOST /api/discord/vanish - Create vanishing channelDELETE /api/discord/vanish/:channelId - Remove vanishing channelGET /api/discord/vanish - List vanishing channelsPOST /api/discord/channels - Set guild channelGET /api/discord/channels/:guildId/:key - Get guild channelPOST /api/sessions/practice - Start practice sessionPOST /api/sessions/practice/stop - Stop practice sessionGET /api/sessions/practice/stats/daily/:discordId - Get daily statsGET /api/sessions/practice/stats/weekly/:discordId - Get weekly statsPOST /api/users/applications - Create applicationGET /api/users/applications/pending - Get pending applicationsPATCH /api/users/applications/:applicationId - Update application statusPOST /api/users/applications/:applicationId/vote - Add vote to applicationPOST /api/projects - Create projectGET /api/projects/:projectId - Get projectPATCH /api/projects/:projectId - Update projectDELETE /api/projects/:projectId - Delete projectGET /api/projects/user/:userId - Get user's projectsPOST /api/admin/keys - Create API key (requires admin scope)GET /api/admin/keys - List API keysDELETE /api/admin/keys/:keyId - Delete API keyPOST /api/admin/identities/merge - Merge user accountsDynamic rate limits based on authentication:
| Auth Type | Requests/Minute |
|---|---|
| Root/Admin | 1000 |
| API Key | 100 |
| Bearer Token | 60 |
| Unauthenticated | 20 |
Special limits for sensitive operations:
Rate limit headers:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 59
X-RateLimit-Reset: 1234567890
# Build for production
bun run build
# Type checking
bun run typecheck
# Linting
npx @biomejs/biome check --write .
/reference when server is running/openapi.json/llms.txtISC
git checkout -b feature/amazing-feature)git commit -m 'Add some amazing feature')git push origin feature/amazing-feature)FAQs
Shared REST API and SDK for Cartel
We found that @cartel-sh/api demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.