Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@ssc-hermes/request
Advanced tools
Use a Bearer
token in the request to authenticate identity. This will sign an integer with the given odd instance, suitable for an access-control type of auth.
The sequence number is an always incrementing integer. It is expected that a server would check that the sequence is larger than the previous sequence, and also check that the signature is valid.
You can pass in either an integer or a localstorage instance. If you pass a localstorage instance, it will read the index '__seq'
, which should be a number. If there is not a number stored there, we will start at 0
.
This library will increment the sequence number for each request, and if a Storage instance was passed in, it will re-save the sequence number on every request.
npm i -S @ssc-hermes/request
This should be ergonomic to use with the existing odd crypto library.
We also depend the library ky for requests, which you will need to install.
In a web browser, pass an instance of ky, and return an extended instance of ky
that will automatically add a signature to the header as a Bearer
token.
import { test } from '@socketsupply/tapzero'
import { AuthRequest, parseHeader, verify } from '@ssc-hermes/request'
import ky from 'ky-universal'
let header:string
// header is like `Bearer ${base64string}`
test('create instance', async t => {
// `crypto` here is from `odd` -- `program.components.crypto`
const req = AuthRequest(ky, crypto, 0)
await req.get('https://example.com/', {
hooks: {
afterResponse: [
(request:Request) => {
header = request.headers.get('Authorization')
const obj = parseHeader(
request.headers.get('Authorization') as string
)
t.ok(obj, 'should have an Authorization header in request')
t.equal(obj.seq, 1, 'should have the right sequence')
}
]
}
})
})
test('parse header', t => {
const obj = parseHeader(header)
// {
// seq: 1,
// author: 'did:key:...',
// signature: '123abc'
//}
t.equal(obj.seq, 1, 'should have the right sequence number')
})
test('verify the header', async t => {
t.equal(await verify(header), true, 'should validate a valid token')
// also make sure that the sequence number is greater than the previous
})
FAQs
Use a `Bearer` token with web crypto to authenticate
The npm package @ssc-hermes/request receives a total of 1 weekly downloads. As such, @ssc-hermes/request popularity was classified as not popular.
We found that @ssc-hermes/request demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.