Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
bytecode-checker-cli
Advanced tools
Bytecode Checker CLI
🔍 检查链下合约代码和链上合约代码是否一致的 CLI 工具
功能特性
- ✅ 支持检查单个合约、指定网络或所有合约
- ✅ 智能识别 Constructor 参数差异和 Immutable 变量差异
- ✅ 自动移除元数据进行比较
- ✅ 生成详细的 JSON 报告
- ✅ 支持增量更新报告
一、发布 NPM 包
1. 准备发布
# 进入项目目录
cd bytecode-checker-cli
# 安装依赖
npm install
# 编译 TypeScript
npm run build
# 测试本地链接
npm link
2. 配置 NPM 账户
# 登录 NPM(如果还未登录)
npm login
# 输入用户名、密码、邮箱
3. 发布到 NPM
# 检查包信息
npm pack --dry-run
# 发布包
npm publish
# 如果包名已被占用,可以发布到作用域下
# 先修改 package.json 中的 name 为 "@your-username/bytecode-checker-cli"
# 然后执行:
npm publish --access public
4. 更新版本
# 更新补丁版本(1.0.0 -> 1.0.1)
npm version patch
# 更新小版本(1.0.0 -> 1.1.0)
npm version minor
# 更新大版本(1.0.0 -> 2.0.0)
npm version major
# 发布新版本
npm publish
二、使用 NPM 包
1. 安装
在你的 Hardhat 项目中安装:
npm install --save-dev bytecode-checker-cli
或全局安装:
npm install -g bytecode-checker-cli
2. 创建配置文件
在项目根目录创建 contractInfo.json 文件:
{
"eth": {
"Vault": "0x80aaf2e4636c510e067a5d300d8bafd48027addf",
"VaultCrossChainRelay": "0x060194eec4556096baaabd6bf553d2658d6a66ab"
},
"bsc": {
"Vault": "0x2cb7d2603a5f43b9fe79e98f09fe3eec40b6765d",
"VaultCrossChainRelay": "0x23ae3a565e0896866e7725fe6d49fd777359c162"
}
}
格式说明:
- 第一层 key 是网络名称(必须与
hardhat.config.js中的网络名称一致) - 第二层 key 是合约名称(必须与编译的合约名称一致)
- value 是合约地址
3. 配置 Hardhat
确保 hardhat.config.js 中配置了相应的网络:
module.exports = {
networks: {
eth: {
url: "https://eth-mainnet.g.alchemy.com/v2/YOUR-API-KEY",
},
bsc: {
url: "https://bsc-dataseed.binance.org/",
}
}
};
4. 编译合约
npx hardhat compile
5. 执行检查
# 检查所有合约
npx bytecode-check check
# 检查指定合约
npx bytecode-check check --contract Vault
# 检查指定网络
npx bytecode-check check --network eth
# 指定配置文件路径
npx bytecode-check check --config ./config/contracts.json
# 指定输出报告路径
npx bytecode-check check --output ./reports/result.json
6. 命令选项
| 选项 | 简写 | 说明 | 默认值 |
|---|---|---|---|
--contract <name> | -c | 指定要检查的合约名称 | - |
--network <name> | -n | 指定要检查的网络名称 | - |
--config <path> | - | 指定配置文件路径 | ./contractInfo.json |
--output <path> | -o | 指定输出报告文件路径 | ./bytecode-check-report.json |
7. 在 package.json 中使用
{
"scripts": {
"check:bytecode": "bytecode-check check",
"check:vault": "bytecode-check check --contract Vault",
"check:eth": "bytecode-check check --network eth"
}
}
运行:
npm run check:bytecode
三、输出示例
✓ 已加载配置文件: /path/to/contractInfo.json
配置文件: /path/to/contractInfo.json
网络数量: 2
- eth: 2 个合约
- bsc: 2 个合约
ℹ 检查所有合约...
✓ 检查完成,共 4 个合约
================================================================================
字节码检查报告
================================================================================
总计检查: 4
✓ 匹配: 4
✗ 不匹配: 0
⚠ 错误: 0
✅ 匹配的合约:
--------------------------------------------------------------------------------
Vault (eth): 完全匹配
VaultCrossChainRelay (eth): Constructor参数差异
Vault (bsc): 完全匹配
VaultCrossChainRelay (bsc): 完全匹配
✓ 报告已保存: /path/to/bytecode-check-report.json
四、报告文件格式
生成的 bytecode-check-report.json 文件格式:
{
"eth": {
"Vault": {
"contract": "Vault",
"address": "0x80aaf2e4636c510e067a5d300d8bafd48027addf",
"matches": true,
"error": null,
"reason": "完全匹配",
"onChainBytecodeLength": 12345,
"localBytecodeLength": 12345
}
},
"bsc": {
"Vault": {
"contract": "Vault",
"address": "0x2cb7d2603a5f43b9fe79e98f09fe3eec40b6765d",
"matches": true,
"error": null,
"reason": "完全匹配",
"onChainBytecodeLength": 12345,
"localBytecodeLength": 12345
}
}
}
五、常见问题
Q: 提示找不到配置文件怎么办?
A: 确保在项目根目录创建了 contractInfo.json 文件,或使用 --config 参数指定路径。
Q: 提示不是 Hardhat 项目怎么办?
A: 确保在 Hardhat 项目根目录下运行命令,并且存在 hardhat.config.js 或 hardhat.config.ts 文件。
Q: 如何处理 Constructor 参数差异?
A: Constructor 参数差异是正常的,工具会智能识别并标记为"匹配"。
六、在 CI/CD 中使用
GitHub Actions
name: Bytecode Check
on: [push, pull_request]
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: '18'
- run: npm ci
- run: npx hardhat compile
- run: npx bytecode-check check
许可证
MIT
作者
kiro
FAQs
检查链下合约代码和链上合约代码是否一致的 CLI 工具
The npm package bytecode-checker-cli receives a total of 2 weekly downloads. As such, bytecode-checker-cli popularity was classified as not popular.
We found that bytecode-checker-cli demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 23 Oct 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025