Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
The bin-links npm package is a module that is responsible for linking binary files and commands for npm packages. It handles the creation of symlinks for executable files to the .bin directory within the node_modules folder or the global bin directory when a package is installed. This allows users to execute the binaries provided by the installed packages directly from the command line.
Linking Binaries
This feature allows the bin-links package to create symlinks for the binaries specified in the package.json file of a node module. The code sample demonstrates how to use bin-links to link binaries for a local package installation.
const binLinks = require('bin-links');
binLinks({
path: '/path/to/package',
pkg: { bin: { 'my-binary': './cli.js' } },
global: false,
force: true
}).then(() => {
console.log('Binaries linked successfully.');
}).catch((err) => {
console.error('Error linking binaries:', err);
});
Linking Global Binaries
This feature is similar to the previous one but is used for linking binaries globally. When the 'global' option is set to true, the binaries are linked in the global bin directory, making them accessible from anywhere in the system.
const binLinks = require('bin-links');
binLinks({
path: '/path/to/package',
pkg: { bin: { 'my-binary': './cli.js' } },
global: true,
force: true
}).then(() => {
console.log('Global binaries linked successfully.');
}).catch((err) => {
console.error('Error linking global binaries:', err);
});
The cmd-shim package is similar to bin-links in that it creates shim scripts for node modules to be used as command-line tools. Unlike bin-links, cmd-shim is focused on creating shims compatible with Windows as well as Unix systems.
npm-link is a package that provides functionality to symlink a package folder during development. While it serves a different purpose from bin-links, which links binaries, npm-link is used to link the entire package for development purposes.
bin-links
is a standalone library that links
binaries and man pages for JavaScript packages
$ npm install bin-links
const binLinks = require('bin-links')
const readPackageJson = require('read-package-json-fast')
binLinks({
path: '/path/to/node_modules/some-package',
pkg: readPackageJson('/path/to/node_modules/some-package/package.json'),
// true if it's a global install, false for local. default: false
global: true,
// true if it's the top level package being installed, false otherwise
top: true,
// true if you'd like to recklessly overwrite files.
force: true,
})
bin
property of pkg to the
node_modules/.bin
directory of the installing environment. (Or
${prefix}/bin
for top level global packages on unix, and ${prefix}
for top level global packages on Windows.)man
property of pkg to the share/man
directory. (This is only done for top-level global packages on Unix
systems.)The npm team enthusiastically welcomes contributions and project participation! There's a bunch of things you can do if you want to contribute! The Contributor Guide has all the information you need for everything from reporting bugs to contributing entire new features. Please don't hesitate to jump in if you'd like to, or even ask us questions if something isn't clear.
> binLinks({path, pkg, force, global, top})
Returns a Promise that resolves when the requisite things have been linked.
> binLinks.getPaths({path, pkg, global, top })
Returns an array of all the paths of links and shims that might be created (assuming that they exist!) for the package at the specified path.
Does not touch the filesystem.
> binLinks.checkBins({path, pkg, global, top, force })
Checks if there are any conflicting bins which will prevent the linking of bins for the given package. Returns a Promise that resolves with no value if the way is clear, and rejects if there's something in the way.
Always returns successfully if global
or top
are false, or if force
is true, or if the pkg
object does not contain any bins to link.
Note that changes to the file system may still cause the binLinks
method to fail even if this method succeeds. Does not check for
conflicting man
links.
Reads from the filesystem but does not make any changes.
binLinks({path, pkg, force, global, top}).then(() => console.log('bins linked!'))
FAQs
JavaScript package binary linker
The npm package bin-links receives a total of 2,291,381 weekly downloads. As such, bin-links popularity was classified as popular.
We found that bin-links demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.