Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Package components for Appcelerator Titanium, Alloy and Arrow projects for distribution and dependency via NPM.
NOTE: Running
appc-npm <type>
for your component only updates/adds apackage.json
andappc-npm
postinstall executable. It adds no dependencies and does not change your code.
$ [sudo] npm install -g appc-npm
Simply navigate to your Titanium module or library, Alloy widget, sync adapter, Arrow connector or other component and run the CLI with the command for that component:
$ cd mywidget
$ appc-npm widget
+ alloy-widget-myWidget@1.0.0
$ npm publish
+ alloy-widget-myWidget@1.0.0
Create or update the package.json
for your project:
{
...
"dependencies": {
"alloy-widget-myWidget": "1.0.0"
}
}
Install the dependencies:
$ npm install
> alloy-widget-myWidget@1.0.0 postinstall /Users/fokkezb/myProject/node_modules/alloy-widget-myWidget
> node ./appc-npm
alloy-widget-myWidget@1.0.0 node_modules/alloy-widget-myWidget
After which you'll find the widget in:
./app/widgets/myWidget
You can add dependencies to other Appcelerator dependencies on NPM to the package.json
of your packaged component. So if your Alloy widget depends on a library, module or other widget then you can install them all in one go.
$ npm install
> alloy-widget-myWidget@1.0.0 postinstall /Users/fokkezb/myProject/node_modules/alloy-widget-myWidget
> node ./appc-npm
> appc-lib-xp.ui@1.0.0 postinstall /Users/fokkezb/myProject/node_modules/alloy-widget-myWidget/node_modules/appc-lib-xp.ui
> node ./appc-npm
alloy-widget-myWidget@1.0.0 node_modules/alloy-widget-myWidget
├── appc-lib-xp.ui@1.0.0
After which you'll find the widget and the lib it depends on in:
./app/widgets/myWidget
./app/lib/xp.ui.js
Run the command again to update the packaged installer, update the version (for components like Alloy widgets) and add missing files to copy.
$ appc-npm widget
+ alloy-widget-myWidget@1.0.1
You can use the following commands or types of components:
widget
Alloy Widgets. Uses widget.json
to populate the package.json
, ignores that same file for the installer and uses alloy-widget-<id>
as the package name.
sync
Alloy sync adapters. Searches for the first .js
and uses alloy-sync-<filename>
as the package name and 1.0.0
for the version. All other files are ignored for the installer.
lib
Titanium, Alloy or Arrow CommonJS libraries. Searches for the first .js
and uses alloy-sync-<filename>
as the package name and 1.0.0
for the version. All other files are ignored for the installer.
block
Arrow post or pre-blocks. Searches for the first .js
to determine the base path and adds that file to the list of paths to copy to the project. The default package name is arrow-block-<filename>
and version is 1.0.0
.
module
Titanium modules. Searches for the most recent ZIP file and adds that file to the files
field of the package.json
so that only that file and our installer will be published to NPM. It also reads the manifest
to use in the default package, which is ti-module-<id>
, and for the version.
connector
Arrow connectors. Searches for appc.json
to determine the base path and adds that same directory to the list of paths to copy. The existing package.json
is updated with the postinstall
script and appc-npm
property containing the list of paths.
FAQs
Package components for Appcelerator Titanium, Alloy and Arrow projects for distribution via NPM.
The npm package appc-npm receives a total of 0 weekly downloads. As such, appc-npm popularity was classified as not popular.
We found that appc-npm demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.