Research
wget to Wipeout: Malicious Go Modules Fetch Destructive Payload
Socket's research uncovers three dangerous Go modules that contain obfuscated disk-wiping malware, threatening complete data loss.
By Kush Pandya - May 01, 2025
📅 You're Invited: Meet the Socket team at RSAC (April 28 – May 1).RSVP →
blumen
Blumen is a tool to deploy websites on IPFS in a decentralized manner, fully managed by the user.
Features
- Multi-provider IPFS pinning
- ENS integration
- Gnosis API support
Getting Started
Installation
Node.js 18+ is required.
pnpm install -g blumen
Environment setup
Grab API keys from the services you use and define them in your environment (e.g. .env).
All env variables used by Blumen must be prefixed with
BLUMEN_
BLUMEN_W3S_TOKEN=eyJhb....
BLUMEN_GW3_TOKEN=ZA70...
BLUMEN_GW3_ACCESS_KEY=9e01ce24...
Deployment
Running deploy will try to use the dist folder, otherwise the current directory.
$ blumen deploy
# 📦 Packing blumen (37.03KB)
# 🌱 Root CID: bafy...
# 📡 Deploying with providers: web3.storage, Estuary
# ✓ [>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>] Finished in 2s
# 🌍 Deployed across all providers
# Success!
# Open in a browser:
# 🪐 IPFS: https://<CID>.ipfs.dweb.link
# 🛰️ IPFS Scan: https://ipfs-scan.io/?cid=<CID>
Documentation
CLI
blumen deploy
Deploys a directory on IPFS to specified providers and outputs a web-friendly gateway link, along with other useful information.
Upload a custom path:
$ blumen status /path/to/directory
blumen status <pin>
Retrieves pin status from providers.
$ blumen status bafybeibp54tslsez36quqptgzwyda3vo66za3rraujksmsb3d5q247uht4
web3.storage: pinned
Gateway3: pinned
By default, providers are fetched from environment like with the deploy command. You can manually specify providers via --providers flag, comma separated:
$ blumen status --providers=web3.storage,Gateway3 bafybeibp54tslsez36quqptgzwyda3vo66za3rraujksmsb3d5q247uht4
API
Blumen exposes some of the functionality as well.
import { walk, packCAR, uploadOnW3S } from 'blumen'
import { assert } from 'node:assert/strict'
const [files, total] = await walk('./dist')
const { blob, cid: actualCid } = await packCAR(files)
const { cid } = await uploadOnW3S({ token: process.env.W3S_TOKEN, car: blob })
assert.equal(cid, actualCid)
const { pin } = await statusOnW3S(cid)
console.log(`Pin status: ${pin}, CID: ${cid}`)
FAQs
🌸 Self-custodial decentralized deployments
The npm package blumen receives a total of 366 weekly downloads. As such, blumen popularity was classified as not popular.
We found that blumen demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 31 Aug 2023
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Using Trusted Protocols Against You: Gmail as a C2 Mechanism
Socket uncovers malicious packages on PyPI using Gmail's SMTP protocol for command and control (C2) to exfiltrate data and execute commands.
By Olivia Brown - Apr 30, 2025
Product
A New Overview in our Dashboard
We redesigned Socket's first logged-in page to display rich and insightful visualizations about your repositories protected against supply chain threats.
By André Staltz - Apr 29, 2025