Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@hishprorg/nihil-iusto-quisquam
Advanced tools
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT) ![npm (scoped)](https://img.shields.io/npm/v/@hishprorg/nihil-iusto-quisquam) ![node-current (scoped)](https://img.shields.io/node/v/@hishprorg/nihil
Supporting command-line tool for @tsmx/secure-config.
Features:
To get more information please also check out the secure-config documentation.
[tsmx@localhost ]$ npm i -g @hishprorg/nihil-iusto-quisquam
For better convenience the installation as a global package is recommended. Though local installation and use is also possible.
Read an existing JSON configuration file and encrypt the values according to specified key-patterns. Also adds a HMAC property to the JSON configuration for enabling validation against illegal tampering.
The result is printed to stdout. Use >
to save it in a new file.
The key used to create the secure configuration has to be set as environment variable CONFIG_ENCRYPTION_KEY
. See genkey option on how to create and export a secure key.
[tsmx@localhost ]$ secure-config-tool create config.json > config-production.json
A comma-separated list of patterns for the keys of the configuration file that should be encrypted. Pattern matching is done for every key of the provided JSON input with a case-insensitive RegEx validation. If the match succeeds, the value of the key is encrypted.
[tsmx@localhost ]$ secure-config-tool create -p "Username,Password" config.json > config-production.json
In the example stated above every key is tested case-insensitive against the two regex expressions /Username/
and /Password/
.
If no patterns are explicitly specified by using this option, the standard patterns are used: 'user', 'pass', 'token'
.
Do not encrypt any value of the input file. Helpful if you want to use only the HMAC feature withput any encryption.
Do not create and add the configurations HMAC to the output. Helpful if you only want to use encryption without HMAC.
Specify a property name to store the generated HMAC value in. Defaults to __hmac
if the option is not present. Doesn't have any effect if -nh
is specified at the same time.
Updates the HMAC of an existing secure configuration file after it has been changed (properties added/deleted/changed...).
The result is printed to stdout. Use >
to save it in a new file or the --overwrite
option.
The key used to update the HMAC has to be set as environment variable CONFIG_ENCRYPTION_KEY
. Make sure to use the right key which was used to create the already existing secure-config file.
[tsmx@localhost ]$ secure-config-tool update-hmac -o config-production.json
Overwrite the original configuration file with the updated HMAC instead of writing to stdout.
Use this option to specify the property name of the HMAC value to be updated if it is deviating from the default __hmac
.
Test decryption and HMAC validation of an existing secure-configuration file. The key to test against has to be set as environment variable CONFIG_ENCRYPTION_KEY
.
[tsmx@localhost ]$ export CONFIG_ENCRYPTION_KEY=9af7...
[tsmx@localhost ]$ secure-config-tool test config-production.json
Decryption: PASSED
HMAC: PASSED
Specify the property name og the HMAC value to validate against. Defaults to __hmac
if the option is not present. Doesn't have any effect if -sh
is specified at the same time.
Skip the HMAC validation test.
Print out the the raw input data and the decrypted data.
Generate a cryptographic 32 byte key to be used for AES encryption/decryption as well as HMAC validation of your configuration.
[tsmx@localhost ]$ secure-config-tool genkey
9af7d400be4705147dc724db25bfd2513aa11d6013d7bf7bdb2bfe050593bd0f
[tsmx@localhost ]$ export CONFIG_ENCRYPTION_KEY=9af7d400be4705147dc724db25bfd2513aa11d6013d7bf7bdb2bfe050593bd0f
Encrypt a single value string for copy & paste to a JSON configuration file.
[tsmx@localhost ]$ secure-config-tool encrypt "MySecret"
ENCRYPTED|82da1c22e867d68007d66a23b7b748b3|452a2ed1105ec5607576b820b90aa49f
Decrypt a single value string for testing purposes.
[tsmx@localhost ]$ secure-config-tool decrypt "ENCRYPTED|82da1c22e867d68007d66a23b7b748b3|452a2ed1105ec5607576b820b90aa49f"
MySecret
{ configArray: [ { key: 'ENCRYPTED|...' }, { key: 'ENCRYPTED|... ' } ] }
npm install
npm test
FAQs
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT) ![npm (scoped)](https://img.shields.io/npm/v/@hishprorg/nihil-iusto-quisquam) ![node-current (scoped)](https://img.shields.io/node/v/@hishprorg/nihil
The npm package @hishprorg/nihil-iusto-quisquam receives a total of 0 weekly downloads. As such, @hishprorg/nihil-iusto-quisquam popularity was classified as not popular.
We found that @hishprorg/nihil-iusto-quisquam demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.