Security News
Another Round of TEA Protocol Spam Floods npm, But It’s Not a Worm
Recent coverage mislabels the latest TEA protocol spam as a worm. Here’s what’s actually happening.
By Philipp Burckhardt - Nov 14, 2025
@embetty/server
Advanced tools
@embetty/server
[Embetty](https://github.com/heiseonline/embetty) displays remote content like tweets or YouTube videos without compromising your privacy. `embetty-server` acts as a proxy and provides the necessary data.
embetty-server · 
Embetty displays remote content like tweets or YouTube videos without compromising your privacy. embetty-server acts as a proxy and provides the necessary data.
Embetty server can be run in two different ways:
- Use the official Docker image to run it in a container.
- Install it directly and use a process manager.
It's necessary to configure a reverse proxy to make Embetty server reachable either way.
Running Embetty server with Docker
The docker image exposes the server on port 8080 and can be configured using environment variables.
$ docker run \
-p 8080:8080 \
--name embetty \
--rm \
-e VALID_ORIGINS=https://example.com \
-e TWITTER_ACCESS_TOKEN_KEY=... \
-e TWITTER_ACCESS_TOKEN_SECRET=... \
-e TWITTER_CONSUMER_KEY=... \
-e TWITTER_CONSUMER_SECRET=... \
heiseonline/embetty-server:latest
Running Embetty server with a process manager
This requires Node.js version 8 or later.
- Install Embetty server by running
yarn global add @embetty/server. This makes theembettycommand available on the server. - Setup a process manager like Forever, PM2 or StrongLoop Process Manager.
- Configure the Process manager to run
embetty start. The commandembetty start --helpprints a list of all supported options.
Configuration
Embetty server can be configured using the following environment variables:
| Variable | Required | Description |
|---|---|---|
URL_BASE | no | The base URL of the Embetty server instance, e.g. https://my-server.com/path/to/embetty. |
DEBUG | no | This variable controls the output of log messages. You may set it to embetty.* to log all Embetty messages to STDOUT. |
EMBETTY_CACHE | no | Connection string of a cache adapter. Currently Redis (example: redis://) and LRU (example: lru://) are supported. |
PORT | no | This variable can be used to specify the port on which Embetty Server listens. Default: 3000 |
TWITTER_ACCESS_TOKEN_KEY | [1] | Twitter Access Token |
TWITTER_ACCESS_TOKEN_SECRET | [1] | Twitter Access Token Secret |
TWITTER_CONSUMER_KEY | [1] | Twitter consumer Key (API Key) |
TWITTER_CONSUMER_SECRET | [1] | Twitter consumer Secret (API Secret) |
VALID_ORIGINS | yes | Contains a comma-separated list of allowed origins. Examples: https://example.com, https://a.example.com,https://b.example.com or *. |
To display tweets with Embetty, the Twitter environment variables listed above need to be defined. Both tokens, the key and the secret can be obtained by creating a Twitter app.
Testing the server setup
The setup can be tested by sending a request to the running server. If everything was set up correctly, JSON data and the HTTP status code 200 are returned.
$ curl -i http://localhost:8080/version
$ curl -i http://localhost:8080/tweet/985882036777955328
$ curl -i http://localhost:8080/video/youtube/m6UOo2YGbIE-poster-image
Using Embetty with Google AMP ⚡️
Embetty server supports Google AMP ⚡️ out of the box via <amp-iframe>:
Tweet:
<amp-iframe
width="200"
height="100"
sandbox="allow-scripts allow-same-origin"
layout="responsive"
resizable
frameborder="0"
src="https://your-site.com/path/to/embetty-server/tweet/1004988454978179072.amp"
>
<div overflow tabindex="0" role="button" aria-label=""></div>
</amp-iframe>
Vimeo:
<amp-iframe
width="200"
height="100"
sandbox="allow-scripts allow-same-origin"
layout="responsive"
resizable
frameborder="0"
src="https://your-site.com/path/to/embetty-server/video/vimeo/1084537.amp"
>
<div overflow tabindex="0" role="button" aria-label=""></div>
</amp-iframe>
YouTube:
<amp-iframe
width="200"
height="100"
sandbox="allow-scripts allow-same-origin"
layout="responsive"
resizable
frameborder="0"
src="https://your-site.com/path/to/embetty-server/video/youtube/m6UOo2YGbIE.amp"
>
<div overflow tabindex="0" role="button" aria-label=""></div>
</amp-iframe>
Facebook:
<amp-iframe
width="200"
height="100"
sandbox="allow-scripts allow-same-origin"
layout="responsive"
resizable
frameborder="0"
src="https://your-site.com/path/to/embetty-server/video/facebook/10156049485672318.amp"
>
<div overflow tabindex="0" role="button" aria-label=""></div>
</amp-iframe>
Contributing to Embetty
See Contributing.
License
Embetty server is MIT licensed.
FAQs
[Embetty](https://github.com/heiseonline/embetty) displays remote content like tweets or YouTube videos without compromising your privacy. `embetty-server` acts as a proxy and provides the necessary data.
We found that @embetty/server demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 0 open source maintainers collaborating on the project.
Package last updated on 09 Sep 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
PyPI Expands Trusted Publishing to GitLab Self-Managed as Adoption Passes 25 Percent
PyPI adds Trusted Publishing support for GitLab Self-Managed as adoption reaches 25% of uploads
By Sarah Gooding - Nov 14, 2025
Research
/Security News
Malicious Chrome Extension Exfiltrates Seed Phrases, Enabling Wallet Takeover
A malicious Chrome extension posing as an Ethereum wallet steals seed phrases by encoding them into Sui transactions, enabling full wallet takeover.
By Kirill Boychenko - Nov 12, 2025