Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
@cleanunicorn/mythos
Advanced tools
A CLI client for MythX
Install globally using:
$ npm -g install @cleanunicorn/mythos
Use this to scan Solidity source code.
You need to provide your MythX address and password.
As an env variable:
$ export MYTHX_ETH_ADDRESS='mythxEthAddress'
$ export MYTHX_PASSWORD='mythxPassword'
$ mythos analyze ./contract.sol Contract
Or as flags:
$ mythos analyze ./contract.sol Contract \
--mythxEthAddress=mythxEthAddress \
--mythxPassword=mythxPassword
Example:
$ mythos analyze no-pragma.sol NoPragma
Reading contract no-pragma.sol... done
Compiling with Solidity version: latest
› Warning: no-pragma.sol:1:1: Warning: Source file does not specify required compiler version! Consider adding "pragma solidity ^0.5.7;"
› contract NoPragma {
› ^ (Relevant source part starts here and spans across multiple lines).
›
Compiling contract no-pragma.sol... done
Analyzing contract NoPragma... done
UUID: 9350d5c4-b89f-43ef-b1f7-48840fee8a02
API Version: v1.4.12
Harvey Version: 0.0.16
Maestro Version: 1.2.6
Maru Version: 0.4.2
Mythril Version: 0.20.3
Report found 2 issues
Meta:
Covered instructions: 40
Covered paths: 4
Selected compiler version: v0.4.25
Title: (SWC-106) Unprotected SELFDESTRUCT Instruction
Severity: High
Head: The contract can be killed by anyone.
Description: Anyone can kill this contract and withdraw its balance to an arbitrary address.
Source code:
no-pragma.sol 3:8
--------------------------------------------------
selfdestruct(msg.sender)
--------------------------------------------------
==================================================
Title: (SWC-103) Floating Pragma
Severity: Medium
Head: No pragma is set.
Description: It is recommended to make a conscious choice on what version of Solidity is used for compilation. Currently no version is set in the Solidity file.
Source code:
no-pragma.sol 1:0
--------------------------------------------------
--------------------------------------------------
==================================================
Done
$ npm install -g @cleanunicorn/mythos
$ mythos COMMAND
running command...
$ mythos (-v|--version|version)
@cleanunicorn/mythos/0.13.0 linux-x64 node-v10.19.0
$ mythos --help [COMMAND]
USAGE
$ mythos COMMAND
...
mythos analyze CONTRACTFILE CONTRACTNAME
Scan a smart contract with MythX API
USAGE
$ mythos analyze CONTRACTFILE CONTRACTNAME
ARGUMENTS
CONTRACTFILE Contract file to scan
CONTRACTNAME Contract name
OPTIONS
-h, --help show CLI help
--analysisMode=analysisMode [default: quick] Define the analysis mode when requesting a scan. Choose one from:
quick, full.
--mythxEthAddress=mythxEthAddress (required)
--mythxPassword=mythxPassword (required)
--solcVersion=solcVersion Solidity version to use when compiling (example: 0.4.21). If none is specified it
will try to identify the version from the source code.
--timeout=timeout [default: 180] How many seconds to wait for the result
See code: src/commands/analyze.ts
mythos get-analysis UUID
Retrieve analysis results scanned with MythX API
USAGE
$ mythos get-analysis UUID
ARGUMENTS
UUID uuid to retrive analysis results
OPTIONS
-h, --help show CLI help
--mythxEthAddress=mythxEthAddress (required)
--mythxPassword=mythxPassword (required)
See code: src/commands/get-analysis.ts
mythos help [COMMAND]
display help for mythos
USAGE
$ mythos help [COMMAND]
ARGUMENTS
COMMAND command to show help for
OPTIONS
--all see all commands in CLI
See code: @oclif/plugin-help
Before you start hacking away, make sure to install dependencies.
$ npm i
Add your tests, code and make sure tests work.
$ npm test
If you need to update the test golden files you need to enable GENERATE_GOLDEN
when running tests.
$ GENERATE_GOLDEN=true npm test
Update version number in package.json
version to the new number without v
(i.e. 0.12.3
)
{
"name": "@cleanunicorn/mythos",
"description": "A CLI client for MythX",
"version": "0.12.3",
...
Update the Changelog
section in readme and add a description of what was changed.
* [0.12.3](https://github.com/cleanunicorn/mythos/releases/tag/v0.12.3)
* Describe new functionality added.
And run oclif
to update other sections of the readme.
$ npx oclif-dev readme
Tag your commit with the same version number preceded by a v
(i.e. v0.12.3
).
$ git add .
$ git commit -m "Describe new functionality added."
$ git tag v0.12.3
Finally publish the package.
$ npm publish --access public
eslint-utils
to 1.4.2 because of a security issue.lodash.template
to 4.5.0 because of a security issue.folder\file.sol
are transformed to folder/file.sol
.output.txt
file from repo.mainSource
.get-analysis
to save response as issues-${uuid}.json
Severity
to output.--analysisMode
can be full
or quick
.FAQs
A CLI client for MythX
The npm package @cleanunicorn/mythos receives a total of 1 weekly downloads. As such, @cleanunicorn/mythos popularity was classified as not popular.
We found that @cleanunicorn/mythos demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.