
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@superhuman/push-receiver
Advanced tools
A module to subscribe to GCM/FCM and receive notifications within a node process.
A library to subscribe to GCM/FCM and receive notifications within a node process.
For Electron, you can use electron-push-receiver instead which provides a convenient wrapper.
See this blog post for more details.
push-receiver ?push-receiver ?npm i -S push-receiver
You can use electron-push-receiver instead which provides a convenient wrapper.
const { register, listen } = require('push-receiver');
// First time
// Register to GCM and FCM
const credentials = await register(senderId); // You should call register only once and then store the credentials somewhere
storeCredentials(credentials) // Store credentials to use it later
const fcmToken = credentials.fcm.token; // Token to use to send notifications
sendTokenToBackendOrWhatever(fcmToken);
// Next times
const credentials = getSavedCredentials() // get your saved credentials from somewhere (file, db, etc...)
// persistentIds is the list of notification ids received to avoid receiving all already received notifications on start.
const persistentIds = getPersistentIds() || [] // get all previous persistentIds from somewhere (file, db, etc...)
await listen({ ...credentials, persistentIds}, onNotification);
// Called on new notification
function onNotification({ notification, persistentId }) {
// Update list of persistentId in file/db/...
updatePersistentIds([...persistentIds, persistentId]);
// Do someting with the notification
display(notification)
}
To test, you can use the send script provided in this repo, you need to pass your serverKey and the FCM token as arguments :
node scripts/send --serverKey="<FIREBASE_SERVER_KEY>" --token="<FIREBASE_TOKEN>"
FAQs
A module to subscribe to GCM/FCM and receive notifications within a node process.
The npm package @superhuman/push-receiver receives a total of 173 weekly downloads. As such, @superhuman/push-receiver popularity was classified as not popular.
We found that @superhuman/push-receiver demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.