Security News
The Hidden Blast Radius of the Axios Compromise
The Axios compromise shows how time-dependent dependency resolution makes exposure harder to detect and contain.
By Ahmad Nassri - Apr 01, 2026
New Research: Supply Chain Attack on Axios Pulls Malicious Dependency from npm.Details → →
Clap Peer — TCP-based P2P data transmission
ClapPeer - is a library for creating a distributed network of nodes that supports message exchange between them. Nodes can exchange both plain and encrypted messages.
Contents
Features:
- Message transmission using intermediate nodes.
- TTL mechanism to prevent message loops.
- Encrypted message exchange (RSA + AES).
Example
const {
ClapPeer,
DM,
CRYPTO_DM,
ERROR,
INVALID_CRYPTO_DM,
} = require('clap-peer');
//Node - 1
const node_1 = new ClapPeer(1001, 'A');
node_1.on(DM, msg => console.log(msg));
node_1.on(CRYPTO_DM, msg => console.log(msg));
//Node - 2
const node_2 = new ClapPeer(1002, 'B');
node_2.connect({ host: '127.0.0.1', port: 1001 });
node_2
.send(node_1.nodeId, { hello: 'hello crypto' })
.catch(error => console.log(error));
node_2.publish(node_1.nodeId, { hello: 'just hello' });
Connecting to a Node
You can use either of two methods to connect to a node: via the .connect method or by passing a configuration object when creating the node. Choose the method based on how you want to structure your code. Here are the two approaches:
1. Connecting using the .connect() method:
const node = new ClapPeer(1001, 'A');
node.connect({ host: '127.0.0.1', port: 1002 });
Here, we create a node and then call the .connect() method, passing the host and port parameters. This allows you to separate the node creation and connection logic.
2. Connecting using a configuration object during node creation:
const node = new ClapPeer(1002, 'A', { host: '127.0.0.1', port: 1002 });
In this case, we pass the connection parameters directly when creating the ClapPeer object. This method is convenient if you need to connect to the node immediately upon creation.
Sending Messages
1. send — Sending an Encrypted Message
The send method is used to send encrypted messages. Before sending, it checks if the target node's public key is available:
- If the key is available, the message is encrypted and sent immediately.
- If the key is not available, the node requests the public key from the target node, then encrypts and sends the message.
Example:
node.send(node_2.nodeId, { text: 'Hello, secure world!' }).catch(error => {
console.log(error);
});
2. publish — Sending a Plain Message
The publish method sends messages without encryption. It simply forwards the data to the specified node.
Example:
node.publish(node_2.nodeId, {
text: 'Hello, open world!',
});
Differences Between send and publish:
| Method | Encryption | Public Key Check | Request Public Key if Needed | Routing Through Intermediate Nodes |
|---|---|---|---|---|
send | ✅ | ✅ | ✅ | ✅ |
publish | ❌ | ❌ | ❌ | ✅ |
Receiving Messages
A node can subscribe to events to handle both plain and encrypted messages.
1. Handling Messages from publish (DM)
DM type messages are generated when another node calls the publish method. These messages are transmitted unencrypted.
node.on(DM, msg => console.log(msg));
2. Handling Messages from send (CRYPTO_DM)
Messages of type CRYPTO_DM are generated when the send method is called by another node. These messages are received in encrypted form.
node.on(CRYPTO_DM, msg => console.log(msg));
Differences Between DM and CRYPTO_DM:
| Event | Method That Generates the Message | Message Type | Description |
|---|---|---|---|
DM | publish | Plain text message | Handled as a regular, unencrypted message. |
CRYPTO_DM | send | Encrypted message | Sent and received in an encrypted form. |
Error Handling
You can subscribe to the ERROR event to handle all errors.
node.on(ERROR, (messageError, originalError) => {
console.log(messageError);
console.error(originalError);
});
The messageError.message parameter may contain one of the following messages:
-
TIMEOUT_ERROR_MESSAGE:
Neighbor check timed out after ${TIMEOUT_DURATION / 1000} seconds -
TIMEOUT_ERROR_REQUEST:
RSA key retrieval timed out. -
DECRYPT_ERROR:
Unable to decrypt the message. -
SEND_ERROR:
Failed to send the data. -
PUBLISH_ERROR:
Failed to publish the data.
Keywords
FAQs
P2P data transmission library for direct node communication over TCP
The npm package clap-peer receives a total of 2 weekly downloads. As such, clap-peer popularity was classified as not popular.
We found that clap-peer demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 21 Dec 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Supply Chain Attack on Axios Pulls Malicious Dependency from npm
A supply chain attack on Axios introduced a malicious dependency, plain-crypto-js@4.2.1, published minutes earlier and absent from the project’s GitHub releases.
By Socket Research Team - Mar 31, 2026
Research
TeamPCP Compromises Telnyx Python SDK to Deliver Credential-Stealing Malware
Malicious versions of the Telnyx Python SDK on PyPI delivered credential-stealing malware via a multi-stage supply chain attack.
By Socket Research Team - Mar 27, 2026