Research
Malicious fezbox npm Package Steals Browser Passwords from Cookies via Innovative QR Code Steganographic Technique
A malicious package uses a QR code as steganography in an innovative technique.
By Olivia Brown - Sep 22, 2025
@deriv-com/api-client
Advanced tools
Deriv API Client
A lightweight, zero dependency wrapper around the WebSockets Web API and the native Node WebSocket (Node V22 and above) that is fully typed to Deriv's Backend WebSocket (Deriv WS API Explorer).
Requirements
- Node version 22 and above (With native WebSocket API): for running it on the Backend or a Node runner
- For browser - generally all is supported
Getting Started
Using the Library
You can start by installing the library via the following commands:
npm
npm i @deriv-com/api-client
pnpm
pnpm install @deriv-com/api-client
yarn
yarn add @deriv-com/api-client
To use it in your codebase, simply initialise the `DerivAPICLient` class and invoke the methods available. Most of the things you need (Deriv WS endpoints, handler, etc) are all included and internalised within the library itself.
const derivAPI = new DerivAPIClient();
const response = await derivAPI.send({ name: 'get_account_status' });
console.log(response);
Contributing to the Library
Starting the Development Server
This project comes with a sandbox served with HMR. In it you have a sample code which you can test your changes. To run the sandbox run:
npm run dev
Functionalities
- Conversion of Request/Response Deriv WS Calls to JavaScript Promises
- Deduping Subscriptions via Internal Subscription Tracking
- Separating data handlers (
onData) with WebSocket message streams - there will always be only one subscription per payload to Deriv WS BE - Asynchronous queuing calls when WebSocket calls are
connecting,disconnectorreconnecting - Connection keep alive mechanism
- Allow error handling via callbacks by forwarding the generic Deriv WS
response.errorproperty - Fully typed safe endpoints - Typed payload based on endpoint names
Core Functions
Send
async send({ name, payload })
The send method is for request/response Deriv WS call that do not have subscriptions. These types of call will only return one response for every call you make.
name- typesafe to all deriv WS request/response endpoint names (TSocketEndpointNames).payload- typesafe to the expected payload (mapped to thename). Default payload will always be set to{ [name]: 1 }. For example for theget_account_statuscall, if no payload is passed will result in the following payload sent to the BE
{
"get_account_status": 1
}
Subscribe
Unsubscribe
Keywords
FAQs
A lightweight wrapper around Deriv's WebSocket API
We found that @deriv-com/api-client demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 0 open source maintainers collaborating on the project.
Package last updated on 13 Aug 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
/Security News
Identifying and Preventing Fraudulent Engineering Candidates: An Investigation into 80 Confirmed Cases
Socket identified 80 fake candidates targeting engineering roles, including suspected North Korean operators, exposing the new reality of hiring as a security function.
By Lauren Valencia, Kirill Boychenko - Sep 17, 2025
Application Security
/Research
/Security News
Updated and Ongoing Supply Chain Attack Targets CrowdStrike npm Packages
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Hulud" supply chain attack that has now impacted nearly 500 packages.
By Kush Pandya, Peter van der Zee, Olivia Brown, Socket Research Team - Sep 16, 2025