Security News
Research
Supply Chain Attack on Rspack npm Packages Injects Cryptojacking Malware
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
@ludovicm67/webm-tools
Advanced tools
npm install @ludovicm67/webm-tools
The following is exposed:
Buffer
: Buffer that works on both Node.js and browsersutils.blobToArrayBuffer
: a function to convert a Blob to an ArrayBufferebmlSchema
: the EBML schemadecode
: decode an EBML elementdisplayDecodedElements
: display the decoded elements using console.log
fix
: the function to use to fix a chunk by using the previous oneWebM is a media format which has become the standard today. However, there's an issue while doing audio chunks because they lack crucial metadata. This essential metadata is stored in the first chunk, so we need to replicate it in the other chunks. The challenge here is that we can't simply extract the header bytes and append them to all other chunks, as each chunk is not an independent "block". They are interconnected, which can confuse the audio player.
Since WebM is based on Matroska, we can use Matroska tools, available at this link, to examine the chunks and ensure they are structured correctly.
Specifically, the mkvinfo
tool is employed to inspect these chunks.
Matroska employs the EBML (Extensible Binary Meta Language) format, which is a binary format consisting of elements. To address the issue, we must parse the EBML format to identify the specific elements that need to be transferred from the first chunk to the subsequent ones. These elements include the header, which contains essential metadata such as the codec, sampling frequency, and track type. Additionally, we need to transfer the last block of the first chunk, even if it's incomplete, as we will get the end of the block in the next chunk.
The proposed solution is to concatenate the header and the last block of the first chunk with the next chunk. This operation ensures that the structural integrity of the audio file is maintained, making it playable without causing confusion for the audio player.
The cli
folder contains a command line tool that can be used to fix or merge chunks.
Have a look at the README of the CLI for more information.
FAQs
WebM tools
The npm package @ludovicm67/webm-tools receives a total of 43 weekly downloads. As such, @ludovicm67/webm-tools popularity was classified as not popular.
We found that @ludovicm67/webm-tools demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.
Security News
Sonar’s acquisition of Tidelift highlights a growing industry shift toward sustainable open source funding, addressing maintainer burnout and critical software dependencies.