Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@metamask/detect-provider
Advanced tools
A tiny utility for detecting the MetaMask Ethereum provider, or any EIP 1193-compliant provider.
A tiny utility for detecting the MetaMask Ethereum provider, or any provider injected at window.ethereum
.
It has 0 dependencies and works out of the box in any modern browser, for synchronously and asynchronously injected providers.
Keep in mind that the providers detected by this package may or may not support the Ethereum JavaScript Provider API. Please consult the MetaMask documentation to learn how to use our provider.
import detectEthereumProvider from '@metamask/detect-provider'
const provider = await detectEthereumProvider()
if (provider) {
console.log('Ethereum successfully detected!')
// From now on, this should always be true:
// provider === window.ethereum
// Access the decentralized web!
// Legacy providers may only have ethereum.sendAsync
const chainId = await provider.request({
method: 'eth_chainId'
})
} else {
// if the provider is not detected, detectEthereumProvider resolves to null
console.error('Please install MetaMask!', error)
}
<script src="https://unpkg.com/@metamask/detect-provider/dist/detect-provider.min.js"></script>
<script type="text/javascript">
const provider = await detectEthereumProvider()
if (provider) {
// handle provider
} else {
// handle no provider
}
</script>
The exported function takes an optional options
object.
If invalid options are provided, an error will be thrown.
All options have default values.
options.mustBeMetaMask
Type: boolean
Default: false
Whether window.ethereum.isMetaMask === true
is required for the returned Promise to resolve.
options.silent
Type: boolean
Default: false
Whether error messages should be logged to the console. Does not affect errors thrown due to invalid options.
options.timeout
Type: number
Default: 3000
How many milliseconds to wait for asynchronously injected providers.
Providers can be either synchronously or asynchronously injected:
The MetaMask extension provider is synchronously injected, while the MetaMask mobile provider is asynchronously injected.
To notify sites of asynchronous injection, MetaMask dispatches the ethereum#initialized
event on window
immediately after the provider has been set as window.ethereum
.
This package relies on that event to detect asynchronous injection.
window.ethereum
The detected provider object returned by this package will strictly equal (===
) window.ethereum
for the entire page lifecycle, unless window.ethereum
is overwritten.
In general, consumers should never overwrite window.ethereum
or attempt to modify the provider object.
If, as a dapp developer, you notice that the provider returned by this package does not strictly equal window.ethereum
, something is wrong.
This may happen, for example, if the user has multiple wallets installed.
After confirming that your code and dependencies are not modifying or overwriting window.ethereum
, you should ask the user to ensure that they only have a single provider-injecting wallet enabled at any one time.
[2.0.0]
window.ethereum
so that it can be assigned its own type outside of detectEthereumProvider
(#30)FAQs
A tiny utility for detecting the MetaMask Ethereum provider, or any EIP 1193-compliant provider.
The npm package @metamask/detect-provider receives a total of 40,552 weekly downloads. As such, @metamask/detect-provider popularity was classified as popular.
We found that @metamask/detect-provider demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 7 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.