🚨 Shai-Hulud Strikes Again:834 Packages Compromised.Technical Analysis
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

@trezor/connect-webextension

Package Overview
Dependencies
Maintainers
4
Versions
67
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@trezor/connect-webextension

High-level javascript interface for Trezor hardware wallet in webextension serviceworker environment.

Source
npmnpm
Version
0.0.0-beta.2
Version published
Weekly downloads
494
-12.72%
Maintainers
4
Weekly downloads
 
Created
Source

@trezor/connect-webextension BETA

Build Status NPM Known Vulnerabilities

This package contains @trezor/connect implementation suitable for webextensions. In short it:

  • works in service worker
  • provides access to TrezorConnect api
  • handles opening of popup page on trezor.io domain when user is expected to approve some operations
  • returns result to the caller.

Beta

This package is currently in beta. If you find anything not working or not suiting your needs, please open an issue.

How to use

At the moment only bundles build/trezor-connect-webextension.js and build/trezor-connect-webextension.min.js are published.

Option 1: Using Scripting Permissions

Modify your manifest.json to include scripting permissions and specify host_permissions. Also, define your service worker script:

    "permissions": ["scripting"],
    "host_permissions": ["*://connect.trezor.io/9/*"]
    "background": {
        "service_worker": "serviceWorker.js"
    },

Import in Service Worker:

In your serviceWorker.js, import the library build/trezor-connect-webextension.js using importScripts. Replace with the actual path to the library file:

importScripts('<path>/trezor-connect-webextension.js');

This method is recommended for a seamless integration with background processes of your extension.

Option 2: Manual Content Script Injection

Bundle the Library:

Include build/content-script.js from this package into your project's bundle.

Update manifest.json and replace with the actual path to the library file::

  "content_scripts": [
    {
      "js": ["<path>/content-script.js"],
      "matches": ["*://connect.trezor.io/9/*"]
    }
  ],

There are still some open questions, let us know!

  • should we publish also src? it would require some postinstall build steps however
  • should we publish other build targets (now te)

Development

  • yarn
  • yarn build:libs
  • yarn workspace @trezor/connect-webextension build
  • yarn workspace @trezor/connect-iframe build:core-module
  • yarn workspace @trezor/connect-popup dev

Now you should be able to import from this package, or use directly build/trezor-connect-webextension.js. Popup is running on your localhost, just use it in TrezorConnect.init({ connectSrc: ... })

Roadmap

  • merge to develop branch
  • release to npm under beta channel
  • public release

Keywords

Trezor
trezor-connect
javascript
serviceworker
webextension

FAQs

Package last updated on 26 Jan 2024

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Malicious Crate Mimicking ‘Finch’ Exfiltrates Credentials via a Hidden Dependency

Security News

/

Research

Malicious Crate Mimicking ‘Finch’ Exfiltrates Credentials via a Hidden Dependency

Socket found a Rust typosquat (finch-rust) that loads sha-rust to steal credentials, using impersonation and an unpinned dependency to auto-deliver updates.

By Kush Pandya  -  Dec 05, 2025