Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@ledgerhq/hw-transport
Advanced tools
Ledger Hardware Wallet common interface of the communication layer
@ledgerhq/hw-transport is a JavaScript library that provides a set of transport methods to communicate with Ledger hardware wallets. It supports various transport protocols such as USB, WebUSB, and Bluetooth, allowing developers to interact with Ledger devices in a secure and efficient manner.
USB Transport
This feature allows you to connect to a Ledger device using USB. The code sample demonstrates how to establish a connection and then close it.
const Transport = require('@ledgerhq/hw-transport-node-hid').default;
async function connectLedger() {
const transport = await Transport.create();
console.log('Connected to Ledger via USB');
await transport.close();
}
connectLedger();
WebUSB Transport
This feature allows you to connect to a Ledger device using WebUSB. The code sample demonstrates how to establish a connection and then close it.
const TransportWebUSB = require('@ledgerhq/hw-transport-webusb').default;
async function connectLedgerWebUSB() {
const transport = await TransportWebUSB.create();
console.log('Connected to Ledger via WebUSB');
await transport.close();
}
connectLedgerWebUSB();
Bluetooth Transport
This feature allows you to connect to a Ledger device using Bluetooth. The code sample demonstrates how to establish a connection and then close it.
const TransportBLE = require('@ledgerhq/hw-transport-ble').default;
async function connectLedgerBLE() {
const transport = await TransportBLE.create();
console.log('Connected to Ledger via Bluetooth');
await transport.close();
}
connectLedgerBLE();
trezor-connect is a JavaScript library for communicating with Trezor hardware wallets. It provides similar functionalities to @ledgerhq/hw-transport, such as USB and WebUSB support, but is specifically designed for Trezor devices.
bitbox02-api is a JavaScript library for interacting with BitBox02 hardware wallets. It offers functionalities similar to @ledgerhq/hw-transport, including USB communication, but is tailored for BitBox02 devices.
@ledgerhq/hw-transport
implements the generic interface of a Ledger Hardware Wallet transport.
Type: {unsubscribe: function (): void}
unsubscribe
function (): voidType: Object
type: add or remove event descriptor: a parameter that can be passed to open(descriptor) deviceModel: device info on the model (is it a nano s, nano x, ...) device: transport specific device info
Type: {type: ("add"
| "remove"
), descriptor: Descriptor, deviceModel: DeviceModel??, device: Device?}
type
("add"
| "remove"
)descriptor
DescriptordeviceModel
DeviceModel??device
Device?Type: $ReadOnly<{next: function (event: Ev): any, error: function (e: any): any, complete: function (): any}>
Transport defines the generic interface to share between node/u2f impl A Descriptor is a parametric type that is up to be determined for the implementation. it can be for instance an ID, an file path, a URL,...
low level api to communicate with the device This method is for implementations to implement but should not be directly called. Instead, the recommanded way is to use send() method
Type: function (apdu: Buffer): Promise<Buffer>
apdu
the data to sendReturns any a Promise of response data
set the "scramble key" for the next exchanges with the device. Each App can have a different scramble key and they internally will set it at instanciation.
Type: function (key: string): void
key
the scramble keyclose the exchange with the device.
Type: function (): Promise<void>
Returns any a Promise that ends when the transport is closed.
Listen to an event on an instance of transport. Transport implementation can have specific events. Here is the common events:
"disconnect"
: triggered if Transport is disconnectedStop listening to an event on an instance of transport.
Enable or not logs of the binary exchange
Set a timeout (in milliseconds) for the exchange call. Only some transport might implement it. (e.g. U2F)
exchangeTimeout
numberwrapper on top of exchange to simplify work of the implementation.
cla
numberins
numberp1
numberp2
numberdata
Buffer (optional, default Buffer.alloc(0)
)statusList
Array<number> is a list of accepted status code (shorts). [0x9000] by default (optional, default [StatusCodes.OK]
)Returns Promise<Buffer> a Promise of response buffer
Statically check if a transport is supported on the user's platform/browser.
Type: function (): Promise<boolean>
List once all available descriptors. For a better granularity, checkout listen()
.
Type: function (): Promise<Array<Descriptor>>
TransportFoo.list().then(descriptors => ...)
Returns any a promise of descriptors
Listen all device events for a given Transport. The method takes an Obverver of DescriptorEvent and returns a Subscription (according to Observable paradigm https://github.com/tc39/proposal-observable )
a DescriptorEvent is a { descriptor, type }
object. type can be "add"
or "remove"
and descriptor is a value you can pass to open(descriptor)
.
each listen() call will first emit all potential device already connected and then will emit events can come over times,
for instance if you plug a USB device after listen() or a bluetooth device become discoverable.
Type: function (observer: Observer<DescriptorEvent<Descriptor>>): Subscription
observer
is an object with a next, error and complete function (compatible with observer pattern)const sub = TransportFoo.listen({
next: e => {
if (e.type==="add") {
sub.unsubscribe();
const transport = await TransportFoo.open(e.descriptor);
...
}
},
error: error => {},
complete: () => {}
})
Returns any a Subscription object on which you can .unsubscribe()
to stop listening descriptors.
attempt to create a Transport instance with potentially a descriptor.
Type: function (descriptor: Descriptor, timeout: number): Promise<Transport<Descriptor>>
descriptor
: the descriptor to open the transport with.timeout
: an optional timeoutTransportFoo.open(descriptor).then(transport => ...)
Returns any a Promise of Transport instance
create() allows to open the first descriptor available or throw if there is none or if timeout is reached. This is a light helper, alternative to using listen() and open() (that you may need for any more advanced usecase)
TransportFoo.create().then(transport => ...)
FAQs
Ledger Hardware Wallet common interface of the communication layer
The npm package @ledgerhq/hw-transport receives a total of 277,738 weekly downloads. As such, @ledgerhq/hw-transport popularity was classified as popular.
We found that @ledgerhq/hw-transport demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 8 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.