Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
The aws-crt npm package is a low-level client library for AWS services, providing a high-performance, cross-platform implementation of the AWS Common Runtime (CRT). It offers functionalities for networking, cryptography, and other foundational services that are essential for building AWS SDKs and other AWS-related applications.
MQTT Client
This feature allows you to create an MQTT client to connect to AWS IoT Core. The code sample demonstrates how to set up the client, connect to the broker, subscribe to a topic, and handle incoming messages.
const { mqtt } = require('aws-crt');
const client = mqtt.Client({
host: 'example.iot.region.amazonaws.com',
port: 8883,
clientId: 'myClientId',
clean: true,
keepAlive: 60,
protocol: 'mqtts',
key: 'path/to/private-key.pem',
cert: 'path/to/certificate.pem',
ca: 'path/to/ca.pem'
});
client.on('connect', () => {
console.log('Connected to MQTT broker');
client.subscribe('my/topic', { qos: 1 });
});
client.on('message', (topic, message) => {
console.log(`Received message: ${message.toString()} on topic: ${topic}`);
});
client.connect();
HTTP Client
This feature provides an HTTP client for making HTTP requests. The code sample shows how to create an HTTP client, make a GET request, and handle the response.
const { http } = require('aws-crt');
const client = new http.HttpClient();
const request = new http.HttpRequest('https://example.com', 'GET');
client.request(request, (response) => {
console.log(`Status Code: ${response.statusCode}`);
response.on('data', (chunk) => {
console.log(`Body: ${chunk.toString()}`);
});
});
WebSocket Client
This feature allows you to create a WebSocket client for real-time communication. The code sample demonstrates how to set up the client, connect to a WebSocket server, send messages, and handle incoming messages.
const { websocket } = require('aws-crt');
const client = new websocket.WebSocketClient('wss://example.com/socket');
client.on('open', () => {
console.log('WebSocket connection opened');
client.send('Hello, WebSocket!');
});
client.on('message', (message) => {
console.log(`Received message: ${message}`);
});
client.on('close', () => {
console.log('WebSocket connection closed');
});
client.connect();
The aws-sdk package is the official AWS SDK for JavaScript, providing a higher-level abstraction over AWS services. It is more user-friendly and feature-rich compared to aws-crt, which is a lower-level library focused on performance and foundational services.
The mqtt package is a popular MQTT client for Node.js. While it offers similar MQTT functionalities as aws-crt, it does not provide the same level of integration with AWS services and lacks the additional features like HTTP and WebSocket clients.
Axios is a widely-used HTTP client for Node.js and the browser. It provides a simpler and more user-friendly API for making HTTP requests compared to the low-level HTTP client in aws-crt.
The ws package is a simple and fast WebSocket client for Node.js. It offers similar WebSocket functionalities as aws-crt but does not include the additional AWS-specific features.
NodeJS/Browser bindings for the AWS Common Runtime
This library is licensed under the Apache 2.0 License.
To build the package locally
git clone https://github.com/awslabs/aws-crt-nodejs.git
cd aws-crt-nodejs
git submodule update --init
npm install
Normally, you just declare aws-crt
as a dependency in your package.json file.
You can either add it to package.json (if using a tool like webpack), or just import the dist.browser/
folder into your web project
npm install aws-crt
To reduce the size of package, we put the C source code in the S3 bucket. If the platform you are using doesn't have the prebuilt binary, the install script will pull the source from S3 bucket. In case of no public internet access, you can specify the "CRT_BINARY_HOST" environment variable for the host of the source code. The build script will fetch source code from that host instead. To fetch the source from S3, you can reach to the cloudfront distribution (Only works for version after v1.9.2) https://d332vdhbectycy.cloudfront.net/aws-crt-<version>-source.tgz
, the sha256 checksum https://d332vdhbectycy.cloudfront.net/aws-crt-<version>-source.sha256
After building the package locally, use node ./scripts/build.js --debug
to enable debug. Then, attach any C debugger to use node to run jest
Please note that on Mac, once a private key is used with a certificate, that certificate-key pair is imported into the Mac Keychain. All subsequent uses of that certificate will use the stored private key and ignore anything passed in programmatically. Beginning in v1.1.11, when a stored private key from the Keychain is used, the following will be logged at the "info" log level:
static: certificate has an existing certificate-key pair that was previously imported into the Keychain. Using key from Keychain instead of the one provided.
FAQs
NodeJS/browser bindings to the aws-c-* libraries
The npm package aws-crt receives a total of 333,020 weekly downloads. As such, aws-crt popularity was classified as popular.
We found that aws-crt demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.