Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Accept credit cards and cryptocurrencies. Dead simple user payment system so simple a caveman cow could do it.
CCashCow is a small app that sits between your application and the payment processors it uses. CCashCow offloads as much of the logic and user-interaction as possible to the forms maintained by and hosted on the payment processors themselves. Your app in turn offloads to CCashCow everything but the bare minimum needed for your app to accept payments. The end result is a system that's straightforward for developers and users, secure, easy to mantain, and as customizable as possible without introducing too much complexity.
Built and mantained by Ptorx and other Xyfir projects.
From now on we'll assume commands are run from ccashcow/
.
As simple as CCashCow is, you'll still need to download, configure, build, and integrate it into your app. We've made it just about as easy as it could possibly be.
Note #1: If your system does not yet have Node installed, start with nvm (or nvm for Windows).
Note #2: You may alternatively download CCashCow through npm (see here), however this is not currently the recommended installation method. In the future we'll likely have a CLI tool available through npm to make configuring, running, and managing CCashCow instances easier.
git clone https://github.com/Xyfir/ccashcow.git
cd ccashcow
Install npm depencies for each module:
cd server
npm install
cd ../web
npm install
cd ../ # back to ccashcow/
The CCashCow modules are configured via environment variables which are loaded into the applications via .env
files located in each module's directory.
To understand the syntax of the .env
files, know that they are first loaded via dotenv and then the string values provided by dotenv are parsed by enve.
.env
filesFirst we'll create each file by copying the example .env
files and then we'll work our way through populating them with values.
cp server/example.env server/.env
cp web/example.env web/.env
.env
filesEdit the files server/.env
and web/.env
. Update the config keys with your own values. You can find descriptions for each one under the CCashCow
-> Env
namespaces in the type definitions. Use the appropriate interface
for each corresponding file.
cd server
npm run build
cd ../web
npm run build
cd ../
Now you'll need to start the server and serve the built files. The simplest way to do this is:
cd server
npm run start
cd ../
If you're in production, you'll probably run the server with pm2 and proxy the server through Nginx or Apache while serving static files through them instead of Node. For you, know that files to be served to the client are located in web/dist
with web/dist/index.html
serving as the web client's entry file.
This part is largely up to you, so it's important to understand the flow of data between your app and CCashCow:
To be a bit more specific:
Check the CCashCow.Payment interface. Your app should only ever send a JWT containing id
, amount
, and methods
; everything else will be added by CCashCow and sent back to your app with the user later. To check if a payment has been paid, all you have to do is check that paid
is a number, and not undefined
. Other values sent back to your app like method
or squareTransactionId
can be ignored unless you have some other use for them.
If you'd like to help work on CCashCow, the tutorial above will suffice to get you up and running. Certain things however will make your life easier:
NODE_ENV
variables in the .env
files are set to "development"
.npm run start
when in web/
. Connect to it via the PORT
you set in web/.env
.scripts
in each module's package.json
for helpful scripts.[2.1.1] - 2019-06-16
FAQs
Accept cards & crypto. Payments so easy a cow could do it.
We found that ccashcow demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.