Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
The BitGo Platform and SDK makes it easy to build multi-signature crypto-currency applications today with support for Bitcoin, Ethereum and many other coins. The SDK is fully integrated with the BitGo co-signing service for managing all of your BitGo wallets.
Included in the SDK are examples for how to use the API to manage your multi-signature wallets.
Please email us at support@bitgo.com if you have questions or comments about this API.
Please make sure you are running at least Node version 8 (the latest LTS release is recommended) and NPM version 6.
We recommend using nvm
, the Node Version Manager, for setting your Node version.
npm install --save bitgo
Please see our SDK Documentation for detailed information about the TypeScript SDK and functionality.
For more general information about the BitGo API, please see our REST API Documentation.
You can find the complete release notes (since version 4.44.0) here.
Create an access token by logging into your bitgo account, going to the API access tab in the settings area and making a developer token.
const BitGo = require('bitgo');
const bitgo = new BitGo.BitGo({ accessToken: ACCESS_TOKEN }); // defaults to testnet. add env: 'prod' if you want to go against mainnet
const result = await bitgo.session();
console.dir(result);
const params = {
passphrase: 'replaceme',
label: 'firstwallet',
};
const { wallet } = await bitgo.coin('tbtc').wallets().generateWallet(params);
console.dir(wallet);
const address = await wallet.createAddress();
console.dir(address);
const transfers = await wallet.transfers();
const result = await wallet.sendCoins({
address: '2NEe9QhKPB2gnQLB3hffMuDcoFKZFjHYJYx',
amount: 0.01 * 1e8,
walletPassphrase: 'replaceme',
});
console.dir(result);
Further demos and examples in both JavaScript and TypeScript can be found in the examples directory.
bitgo
uses the debug
package to emit extra information, which can be useful when debugging issues with BitGoJS or BitGo Express.
When using the bitgo
npm package, the easiest way to enable debug output is by setting the DEBUG
environment variable to one or more of the debug namespaces in the table below. Multiple debug namespaces can be enabled by giving a comma-separated list or by using *
as a wildcard. See the debug package documentation for more details.
Namespace | Description |
---|---|
bitgo:index | Core BitGo object. Currently only constant fetch failures and HMAC response failures will emit debug information for this namespace. |
bitgo:v1:txb | Version 1 (legacy) transaction builder |
bitgo:v2:pendingapprovals | Pending approval operations. Currently only wallet fetch errors will emit debug information for this namespace. |
bitgo:v2:wallet | Wallet operations including transaction prebuild, sendMany calls and consolidation transactions |
bitgo:v2:utxo | Low level operations for UTXO coins, including transaction parsing, verification, signing and explanations |
bitgo:v2:eth | Ethereum specific output. Currently only failures to require the optional Ethereum libraries are reported |
bitgo:v2:util | SDK utilities specific output. Currently only failures to require the optional Ethereum libraries are reported |
Another debug namespace which is not provided by BitGoJS but is helpful nonetheless is the superagent
namespace, which will output all HTTP requests and responses (only the URL, not bodies).
To run an SDK script with debug output enabled, export the DEBUG environment variable before running.
export DEBUG='bitgo:*' # enable all bitgo debug namespaces
node myScript.js
To set debug namespaces in the browser, you should set localStorage.debug
property instead of the DEBUG
environment variable using your browser's development tools console.
localStorage.debug = 'bitgo:*'; // enable all bitgo debug namespaces
bitgo
is not yet compatible with the noImplicitAny
compiler option. If you want to use this option in your project (and we recommend that you do), you must set the skipLibCheck
option to supress errors about missing type definitions for dependencies of bitgo
.
Since version 6, bitgo
includes a minified, browser-compatible bundle by default at dist/browser/BitGoJS.min.js
. It can be copied from there directly into your project.
BitGoJS can also be bundled with any module bundler. There is a Webpack configuration file already included, which can be triggered with package scripts.
For a production build: npm run-script compile
For a development (non-minified) build: npm run-script compile-dbg
To build the test suite into a single test file: npm run-script compile-test
FAQs
security holding package
The npm package bigto receives a total of 2 weekly downloads. As such, bigto popularity was classified as not popular.
We found that bigto demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.