Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@twreporter/registration
Advanced tools
npm i --save @twreporter/registration
import { configureAction, authUserAction } from '@twreporter/registration'
if (path === `/${ACTIVATE_PAGE_PATH}`) {
// The following procedure is for OAuth (Google/Facebook)
// setup token to redux state from cookies
const authInfoString = get(req, 'cookies.auth_info', '')
const authType = get(req, 'query.login', 'email signin')
if (authInfoString) {
const authInfoObj = JSON.parse(authInfoString)
const jwt = get(authInfoObj, 'jwt', '')
if (jwt) {
store.dispatch(authUserAction(authType, authInfoObj))
}
}
}
// setup authentication api server url and endpoints
store.dispatch(configureAction(config.registrationConfigure))
// token can be stored in localStorage in two scenario
// 1. TWReporter account sign in
// 2. oAuth
// Acount: store auth info during signin action
// oAuth: cookie -> redux state -> localStorage -> delete authinfo in redux state
// The following procedure is only for oAuth
// const { auth } = store.getState()
const { ifAuthenticated, authInfo, authType, deletAuthInfoAction } = this.props
if(ifAuthenticated && authInfo && (authType === 'facebook' || authType === 'google')) {
setupTokenInLocalStorage(authInfo, localStorageKeys.authInfo)
deletAuthInfoAction()
// store.dispatch(deletAuthInfoAction())
}
// 1. Renew token when user brows our website
// 2. ScheduleRenewToken if user keep the tab open forever
const { authConfigure, renewToken } = this.props
const authInfoString = getItem(localStorageKeys.authInfo)
if(authInfoString) {
const authObj = JSON.parse(authInfoString)
// const { authConfigure } = store.getState()
const { apiUrl, renew } = authConfigure
renewToken(apiUrl, renew, authObj)
scheduleRenewToken(
6,
() => {
if (getItem(localStorageKeys.authInfo)) {
renewToken(apiUrl, renew, JSON.parse(getItem(localStorageKeys.authInfo)))
}
}
)
}
// Check if token existed in localStorage and expired
// following preocedure is for both accoutn and oAuth SignIn
// 7 = 7 days
const { authUserByTokenAction } = this.props
authUserByTokenAction(7, authType)
The package provide two kind of widgets. One is bookmark widget, another one is service widgets. Each widget can be served on specific url, so you can use iframe to implement the function.
// Bookmark
const bookmarkData = {
slug: 'fake-slug',
host: 'http://fake-host:3000',
is_external: false,
title: 'fake-title',
desc: 'fake-description',
thumbnail: 'fake-thumbnail',
category: 'issue',
published_date: '2017-12-12T08:00:00+08:00',
}
const bookmarkPostMessage = {
bookmarkData,
svgColor: 'white',
}
// Service
const bookmarkPostMessage = {
svgColor: 'white',
}
//Receiver Prototype
const isJson = (string) => {
try {
JSON.parse(string)
} catch (e) {
return false
}
return true
}
class WidgetPrototype extends React.Component {
constructor(props) {
super(props)
this.state = {
postMessage: {}
}
this.receiveMessage = this._receiveMessage.bind(this)
}
_receiveMessage(event) {
// The statement is only for production
// Only receiveMessage from twreporter website
if (event.origin !== 'https://www.twreporter.org' && process.env.NODE_ENV === 'production') {
return
}
let dataObject
// Only process message which contain useful infomation
const data = _.get(event, 'data', '')
if (typeof data === 'string' && isJson(data)) {
dataObject = JSON.parse(event.data)
this.setState({
postMessage: dataObject
})
}
}
componentDidMount() {
window.addEventListener('message', this.receiveMessage, false)
}
}
export default WidgetPrototype
// Receiver page
// User can use the url for iframe
import { BookmarkWidget } from '@twreporter/registration'
import get from 'lodash/get'
import React from 'react'
import WidgetPrototype from './prototype'
const _ = {
get
}
class BookmarkIframe extends WidgetPrototype {
render() {
const { postMessage } = this.state
return (
<BookmarkWidget
slug={_.get(postMessage, 'bookmarkData.slug', '')}
bookmarkData={_.get(postMessage, 'bookmarkData', {})}
svgColor={_.get(postMessage, 'svgColor', '')}
external
mobile
/>
)
}
}
export default BookmarkIframe
class foo extends React.Component {
componentDidMount() {
const serviceElement = document.getElementById('serviceIcon')
serviceElement.onload = () => {
serviceElement.contentWindow.postMessage(JSON.stringify(servicePostMessage), `${HOST}`)
}
}
render() {
return (
<iFrame
id="serviceIcon"
title="service-widget"
src={`${HOST}/widgets-services`}
scrolling="no"
/>
)
}
}
npm run dev //development mode
npm run build //production mode
//Hard reload development without npm link
CUSTOMER_FOLDER=/task/xxfolder/twreporter npm run dev
//Or you can put @twreporter/registration at same directory with your project folder.
FAQs
account registration system
The npm package @twreporter/registration receives a total of 0 weekly downloads. As such, @twreporter/registration popularity was classified as not popular.
We found that @twreporter/registration demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.