Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@taktikorg/culpa-minus-minus
Advanced tools
> Typed library to work 2fa via Google Authenticator/Time-based TOTP/Hmac-based HOTP
Typed library to work 2fa via Google Authenticator/Time-based TOTP/Hmac-based HOTP
npm
npm i @taktikorg/culpa-minus-minus
Yarn
yarn add @taktikorg/culpa-minus-minus
HOTP
- HMAC-based One Time Password generation method. Uses incrementing with each login counter
and secret
to generate unique 6-8 digit codes.TOTP
- Time-based, uses current time
modulo period
(seconds) as counter in HOTP
,Google Authenticator
- uses simplified version of TOTP
to generate codes. Differences:
SHA-1
hash supportGoogle Authenticator limits are defaults for this library.
// 1. Import library - use totp (code changes with time)
import { totp, generateKey, getKeyUri } from "@taktikorg/culpa-minus-minus";
// 2. Import crypto adapter. Either `crypto-node` or `crypto-web` - API is identical
import { hmac, randomBytes } from "@taktikorg/culpa-minus-minus/crypto-node";
// 3. Get key from somewhere. Or generate it
const key = generateKey(randomBytes, /* bytes: */ 20); // 5-20 good for Google Authenticator
// 4. Get key import url
const url = getKeyUri({
type: "totp",
secret,
name: "User's Username",
issuer: "Your Site Name"
});
// 5. Show it to user as QR code - send it back to client
// Get 6-digit code back from him, as confirmation of saving secret key
const input = "...";
const code = await totp(hmac, { secret });
if (code === input) {
// 6. Done. User configured your key
}
FAQs
> Typed library to work 2fa via Google Authenticator/Time-based TOTP/Hmac-based HOTP
The npm package @taktikorg/culpa-minus-minus receives a total of 0 weekly downloads. As such, @taktikorg/culpa-minus-minus popularity was classified as not popular.
We found that @taktikorg/culpa-minus-minus demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.