Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Protecting and Optimizing your JavaScript Source Code.
When do you need this module?
This is a Node.js module available through the npm registry.
This module can be used on node or web projects develop with Node.js version 18.0 or higher.
Installation is done using the npm install
command:
npm install --save-dev cubegenjs
or
yarn add --dev cubegenjs
You need create two configuration files cg.builder.js
and cb.protector.js
.
Generate these files with the command:
npx cubegen init
After that, you have to select the target environment NodeJS
or Web Browser
based on your project type.
To use protector, you mush import cg.protector.js
file in your project.
For example Express.js project in /src/index.js
:
import express from 'express'
import '../cg.protector.js'
const app = express()
app.listen(3000, () => {
...
})
or React.js project in /src/App.jsx
:
import { useState } from 'react'
import '../cg.protector.js'
function App() {
...
}
After everything is done, build your project with the command:
npx cubegen build
The module use cg.builder.js
and cb.protector.js
files to define how the module works. Each properties and methods can be set according to your project needs.
Cubegen provides a terminal interface to manage your project.
CLI options of npx cubegen
:
-v, --version
-h, --help
commands:
init [options] initialize cubegen configuration
build [options] building your project to distribution code
options:
-r, --root <string> relative root project directory (default: "./")
The cg.builder.js
file contains the rules for how your project will be transformed with bundlers and obfuscators.
appKey
Type: string
Default: <generate by system>
Application key for generate private keys inner your code. You can use a custom random characters.
target
Type: string
Default: <generate by system>
Target where your application will be run in production. Available options: node
and browser
buildCommand
Type: string
Default: npm run build
⚠️ Only available in web project.
Command to build your web project. The build command example: npm run build
or yarn build
.
codeBundlingOptions
Type: object
Default: {}
⚠️ Only available in node project.
Bundler option to optimize your code with parcel.
Example:
codeBundlingOptions: {
rootDir: './',
outDir: './dist',
entries: [
'src/main.js',
'src/worker.js'
],
staticDirs: [
'public',
'storages'
],
buildMode: 'production'
}
codeObfuscationOptions
Type: object
Default: {}
Obfuscation option to obfuscate your protector code with javascript-obfuscator.
Example:
codeObfuscationOptions: {
target: 'node',
seed: '0fddc96ac6cad3b0',
controlFlowFlattening: true,
controlFlowFlatteningThreshold: 1,
...
compact: true,
simplify: true
}
See more option in https://github.com/javascript-obfuscator/javascript-obfuscator?tab=readme-ov-file#options
The cg.protector.js
file is the protection algorithm for your project. Your code in cg.protector.js
will be fully obfuscated after the build process is complete.
onStart()
This method will be called after protector is started.
Example:
onStart(() => {
console.log('Cubegen protector is starting.')
})
onDocumentLoaded()
⚠️ Only available in web project.
This method will be called after after DOM loaded.
Example:
onDocumentLoaded(() => {
console.log('Web document is loaded.')
})
onDomainNotAllowed()
⚠️ Only available in web project.
This method will be called if site host is not in the whitelist.
Example only allow hosted web app in localhost:*
:
const domainLockingOptions = {
enabled: true,
whitelist: [
'localhost',
'localhost:\\d+',
'127.0.0.1:\\d+'
]
}
onDomainNotAllowed(domainLockingOptions, () => {
window.location.host = 'https://your_site.com'
})
onModifiedCode()
⚠️ Only available in node project.
This method will be called if distributed code changed or not match with signiture.
Example:
const modifiedCodeOptions = {
enabled: true
}
onModifiedCode(modifiedCodeOptions, () => {
console.log('Source code is changed.')
process.exit()
})
onIntervalCall()
This method will be called continuously.
Example:
const intervalCallOptions = {
enabled: false,
eventLoopInterval: 5000
}
onIntervalCall(intervalCallOptions, () => {
// call monitoring service or do something
})
The main forum for free and community support is the project Issues on GitHub.
FAQs
Protecting and Optimizing your JavaScript Source Code
We found that cubegenjs demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.