Research
Two Malicious Rust Crates Impersonate Popular Logger to Steal Wallet Keys
Socket uncovers malicious Rust crates impersonating fast_log to steal Solana and Ethereum wallet keys from source code.
By Kirill Boychenko - Sep 24, 2025
Nandu CLI
Nandu Open NPM Registry CLI
Quick Start
In order to quickly get a working Nandu NPM registry you can follow this steps and recommendations.
Nandu uses env variables for configuring all its settings, inclusive the ROOT user credentials. The root user is the one that can bootstrap the service, by creating new users and so on. Also the root user has godlike permissions, therefore it is important to only use it for bootstrapping, and the first thing to do is to create a new user and give it "admin" permissions.
When you start Nandu for the first time it will create such root user that you can then use to interact with the registry.
$ nandu start
Nandu is running on port 4567.
You will get a lot of debug logs unless you set NODE_ENV to production.
By default Nandu will use Sqlite for storing the registry metadata, and the database file will be
stored at ./storage/db/nandu.db. You can change this setting with the NANDU_SEQUELIZE_URI env
variable.
The next step is to create an authentication token for the root user, you need to use the nandu cli for this as well,
$ nandu token:create root
username: root
password: ******
New token created for user root {
id: 'ad4ac909-2cea-40ba-be4e-03ec4fbb57bf',
token: 'c0463461-23fb-4642-a927-820b0d71ffb8',
readonly: false,
created: '2021-11-11T08:09:47.532Z'
}
You can create tokens on behalf of other users if the user you use for creating the tokens has the correct permissions.
Teams
Nandu support many of the advanced features of the NPM registry, such as teams, scopes, and more. So you will most likely interact with your Nandu server using the standard (NPM CLI)[https://docs.npmjs.com/cli/v8]
Lets take for example the case we want to create a team, add a user to said team and then give read access to a given package that is part of that team.
Start by adding a team:
$ npm team add myorg:myteam
We have now created a team inside the org/scope "myorg". You can see the list of teams by running:
$ npm team ls
Now we want to add a package to said team:
$ npm access grant read-only @myorg:myteam @myorg/mypackage
Usage
$ npm install -g @nandu/cli
$ nandu COMMAND
running command...
$ nandu (--version)
@nandu/cli/1.0.0 linux-x64 node-v20.19.1
$ nandu --help [COMMAND]
USAGE
$ nandu COMMAND
...
Commands
nandu start
Starts Nandu Open NPM Server
USAGE
$ nandu start [-h] [-p <value>] [-f]
FLAGS
-f, --force
-h, --help Show CLI help.
-p, --port=<value> [default: 4567] listen to port
DESCRIPTION
Starts Nandu Open NPM Server
EXAMPLES
$ nandu start -p 4567
See code: src/commands/start.ts
nandu token
Manage NPM Registry tokens
USAGE
$ nandu token
DESCRIPTION
Manage NPM Registry tokens
EXAMPLES
$ nandu token:create myuser
See code: src/commands/token/index.ts
nandu token:create USER
create a new token for given user
USAGE
$ nandu token:create USER --registry <value> [-h] [--token <value> | ] [--readonly] [--cidr-whitelist <value>]
FLAGS
-h, --help Show CLI help.
--cidr-whitelist=<value> comma separated list of whitelisted cidrs
--readonly generate a readonly token
--registry=<value> (required) URI pointing to your Nandu NPM Registry
--token=<value> Token to be used for authentication, uses NPM_TOKEN env variable if unspecified
DESCRIPTION
create a new token for given user
EXAMPLES
$ nandu start -p 4567
See code: src/commands/token/create.ts
nandu token:ls USER
list tokens for given user
USAGE
$ nandu token:ls USER --registry <value> [-h] [--token <value> | ]
FLAGS
-h, --help Show CLI help.
--registry=<value> (required) URI pointing to your Nandu NPM Registry
--token=<value> Token to be used for authentication, uses NPM_TOKEN env variable if unspecified
DESCRIPTION
list tokens for given user
EXAMPLES
$ nandu start -p 4567
See code: src/commands/token/ls.ts
nandu user
Manage NPM Registry users
USAGE
$ nandu user
DESCRIPTION
Manage NPM Registry users
EXAMPLES
$ nandu user:add myuser
See code: src/commands/user/index.ts
nandu user:add USER
add or update a new token for given user
USAGE
$ nandu user:add USER --registry <value> [-h] [--token <value> | ]
FLAGS
-h, --help Show CLI help.
--registry=<value> (required) URI pointing to your Nandu NPM Registry
--token=<value> Token to be used for authentication, uses NPM_TOKEN env variable if unspecified
DESCRIPTION
add or update a new token for given user
EXAMPLES
$ nandu user:add myuser
See code: src/commands/user/add.ts
Keywords
FAQs
Nandu Open NPM Registry CLI
We found that @nandu/cli demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 13 May 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Malicious fezbox npm Package Steals Browser Passwords from Cookies via Innovative QR Code Steganographic Technique
A malicious package uses a QR code as steganography in an innovative technique.
By Olivia Brown - Sep 22, 2025
Research
/Security News
Identifying and Preventing Fraudulent Engineering Candidates: An Investigation into 80 Confirmed Cases
Socket identified 80 fake candidates targeting engineering roles, including suspected North Korean operators, exposing the new reality of hiring as a security function.
By Lauren Valencia, Kirill Boychenko - Sep 17, 2025