Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Package components for Appcelerator Titanium, Alloy and Arrow projects for distribution via NPM.
Package components for Appcelerator Titanium, Alloy and Arrow projects for distribution via NPM.
NOTE: Running
appc-npm <type>
for your component only updates/adds apackage.json
andappc-npm
postinstall executable. It adds no dependencies and does not change your code.
$ [sudo] npm install -g appc-npm
Simply navigate to your Titanium module or library, Alloy widget, sync adapter, Arrow connector or other component and run the CLI with the command for that component and optional path (defaulting to CWD).
$ cd mywidget
$ appc-npm widget
+ alloy-widget-myWidget@1.0.0
$ npm publish
+ alloy-widget-myWidget@1.0.0
$ npm install alloy-widget-myWidget --save
> alloy-widget-myWidget@1.0.0 postinstall /Users/fokkezb/myProject/node_modules/alloy-widget-myWidget
> node ./appc-npm
alloy-widget-myWidget@1.0.0 node_modules/alloy-widget-myWidget
After which you'll find the widget in:
./app/widgets/myWidget
You can add dependencies to other Appcelerator dependencies on NPM to the package.json
of your packaged component. So if your Alloy widget depends on a library, module or other widget then you can install them all in one go.
$ npm install alloy-widget-myWidget --save
> alloy-widget-myWidget@1.0.0 postinstall /Users/fokkezb/myProject/node_modules/alloy-widget-myWidget
> node ./appc-npm
> appc-lib-xp.ui@1.0.0 postinstall /Users/fokkezb/myProject/node_modules/alloy-widget-myWidget/node_modules/appc-lib-xp.ui
> node ./appc-npm
alloy-widget-myWidget@1.0.0 node_modules/alloy-widget-myWidget
├── appc-lib-xp.ui@1.0.0
After which you'll find the widget and the lib it depends on in:
./app/widgets/myWidget
./app/lib/xp.ui.js
Run the command again to update the packaged installer, update the version (for components like Alloy widgets) and add missing files to copy.
$ appc-npm widget
+ alloy-widget-myWidget@1.0.1
You can use the following commands or types of components:
module
Titanium modules. Run it in the folder above the platform folders to package the most recent distribution ZIP file of each platform. Run it in a platform folder to package only that one.
Reads the manifest
to populate the package.json
, using ti-module-<moduleid>
as name and the greatest version found for all platforms as the package version.
NOTE: Only the most recent ZIP file of each platform and the
appc-npm
installer are added to thepackage.json
'sfiles
property so that only these will be packaged and published to NPM and not the full module source.
lib
Titanium, Alloy or Arrow CommonJS libraries. Searches for the first .js
and uses alloy-sync-<filename>
as the package name and 1.0.0
for the version. All other files are ignored for the installer.
widget
Alloy Widgets. Uses widget.json
to populate the package.json
, ignores that same file for the installer and uses alloy-widget-<id>
as the package name.
sync
Alloy sync adapters. Searches for the first .js
and uses alloy-sync-<filename>
as the package name and 1.0.0
for the version. All other files are ignored for the installer.
theme
Alloy themes. Uses alloy-sync-<dirname>
as the package name and 1.0.0
for the version. It ignores the generated package.json
for the installer.
connector
Arrow connectors. Searches for package.json
to determine the target for the installer and will update the file with the postinstall
script and appc-npm
property, leaving the name and version as it is.
block
Arrow post or pre-blocks. Searches for the first .js
to determine the base path and adds that file to the list of paths to copy to the project. The default package name is arrow-block-<filename>
and version is 1.0.0
.
You can also require appc-npm
as a module, which is exactly what the CLI does.
To lint and run all tests:
$ [sudo] npm install -g grunt
$ npm install
$ npm test
To run a specific test by name (without -test.js
):
$ grunt test --test <test>
To add new types of components, provide a PR with a type, fixture and test.
Please report issues and features requests in the repo's issue tracker.
Distributed under MIT License.
FAQs
Package components for Appcelerator Titanium, Alloy and Arrow projects for distribution via NPM.
The npm package appc-npm receives a total of 0 weekly downloads. As such, appc-npm popularity was classified as not popular.
We found that appc-npm demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.