Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@sodefa/gitenvs
Advanced tools
Save encrypted environment variables directly in git.
createEnvFiles.ts
)import { GenerateEnvFilesFunction, Keys, main } from '@sodefa/gitenvs'
type Stage = 'production' | 'staging' | 'development'
const generateEnvFiles: GenerateEnvFilesFunction<Stage> = ({
resolveSecret,
}) => {
return [
{
envFilePath: 'path/to/your/app/.env.local',
envVars: [
{
key: 'ENV_NAME',
values: {
default: 'EMPTY',
production: resolveSecret(''),
staging: resolveSecret(''),
development: resolveSecret(''),
},
},
],
},
]
}
const keys: Keys<Stage> = {
production: {
publicKey: '',
encryptedPrivateKey: '',
},
staging: {
publicKey: '',
encryptedPrivateKey: '',
},
development: {
publicKey: '',
encryptedPrivateKey: '',
},
}
main({
generateEnvFiles,
keys,
})
development
is the default stage that is used if you do not specify any stagenpx ts-node createEnvFiles.ts createKeys
(or how you called your file)
publicKey
& encryptedPrivateKey
and paste them into the keys
object in your createEnvFiles.ts
filecreateEnvFiles.ts
. It is a secret! Save it into your password manager.package.json
:
"env:create": "npx ts-node createEnvFiles.ts createEnvFiles"
"env:ui": "npx nodemon createEnvFiles.ts ui"
"prepare": "yarn env:create"
(This is so that the .env files will be created after node_modules were installed)*.passphrase
to your .gitignore
yarn env:ui
and go to http://localhost:1337
createEnvFiles.ts
file
default
value will be used if no value for the current stage is providedEncryption
resolveSecret
function. Example: resolveSecret('jk3Z35gkHKQtWlLWl4HXdhEJQAJdyIHTzQ4nH/uq84+SdD2ty2Q6qEECfjbAr79U65slD+8BxmFbSMwkAFdXtpkJpw+vHzwi+uVbMIDuq/yHW39XQ9Tv+5qGO3xIZnnE1HrkIOYNFc5O+YLb5dsBTasBwbMrVEBSUL1jA7NdL1IHo9lidrMPFfPxTdyB6COfuhu+UBq1MSXvjVabXXYuU2LXCBVeGhfRRVqs9lxPzb0ilplldsxns3nWRc3g2C5mOc3P2Ki9PjPEmaSvAi/CDgtrXuhMQ4yjeTTLmsZ9iDzyC9RR6apoJBj0NMkFxrnoJg/gG9Jyrgofbi2vfgmchFTPNB41KggNFEMGf428oihXW/k0o9tZWkyiCkXyysjHNJ/hz5g10tEBII1DTifWSe4H2LAfvAliOz8EzTMopXnra5LjlP1exDiTBTwg1GQj6VJ0tcYGnDLkGbkHVXZSZxQwgHWyUKcipb3J2O+21qMWcsRPGo4mzH0X6ORKnD+v4oGI34YDvcedMuQEfs2pmmX+EYwQx3TRgNk6Uy3ZAU84nM2z3IFeLBjhra5/mIH68y/MFMN/Kle6lEa28RR3bz2ToMDrDfvEyIQV+T2X0h8YiUDhol6UWA6OPGY8p2xS8Inz/byQCjbPO0z9hk1Vq9nzMkaupAy/KzZcorwtSPc=')
createKeys
command and paste them into the textarea under Decryption
development.passphrase
which just contains the passphraseenv:create
/ yarn install
GITENV_STAGE
defines which stage should be usedGITENV_PRIVATE_KEY_PASSPHRASE_${stageName}
contains the passpharse. Replace ${stageName}
with the stage name you used in GITENV_STAGE
FAQs
Save your environment variables in git - encrypted!
The npm package @sodefa/gitenvs receives a total of 12 weekly downloads. As such, @sodefa/gitenvs popularity was classified as not popular.
We found that @sodefa/gitenvs demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.