Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Having developed many server-side services using a wide range of enterprise and open-source frameworks, I realized all of them had one thing in common. They all pushed you to use certain technologies in certain ways.
It all came down to going back to the basics and using express to build any project. Each project had slight variations in packages and thus came the concept of clout-js. A de-coupled event based frameworks that allows you to use whatever technology you would like to use. Modules can be packaged up and re-used in different projects. Even the core-modules such as starting the server could be replaced by writing an override.
$ npm install clout-js@beta --save
These commands should be run in this directory.
$ npm run test
$ npm run test:watch
$ npm run gendoc
$ APPLICATION_PATH=<clout-js-applcation> npm run start
const clout = require('clout-js');
clout.start();
clout.on('started', () => {
['https', 'http'].forEach((key) => {
let server = clout.server[key];
if (server) {
let port = server.address().port;
console.info('%s server started on port %s', key, port);
}
});
});
The following folders are default application searchpath.
Directory | purpose |
---|---|
/conf | contains configuration w/ support for NODE_ENV |
/apis | contains apis for the application |
/hooks | hooks which can be invoked before an api |
/models | contains models (native support for sequalize) |
/public | public assets folder |
/controllers | contains controllers for application |
NODE_ENV=development npm run start
You can load different configuration files depending on the env variables. For example, the usage of NODE_ENV=development
(default) would load the following configuration files into the application;
conf/default.js
conf/**.development.js
conf/development.js
Another example is NODE_ENV=production
which would load the following files;
conf/default.js
conf/**.production.js
conf/production.js
package-name | description |
---|---|
clout-redis-session | Clout module to leverage Redis for sessions |
clout-passport | Clout module to implement passport |
clout-parse | Parse module |
clout-mongoose | Clout module to leverage mongoose for models |
clout-18n | Clout module to implement i18n |
clout-socket-io | Clout module to leverage socket.io |
clout-sequelize | Clout module to leverage sequelize for models |
clout-flash | Flash message middleware module for Clout-JS |
FAQs
Clean, simplistic, enterprise grade full-stack NodeJS framework
The npm package clout-js receives a total of 2 weekly downloads. As such, clout-js popularity was classified as not popular.
We found that clout-js demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.