Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
npm i egg-gt3 --save
// {app_root}/config/plugin.js
exports.geetest = {
enable: true,
package: 'egg-gt3',
};
// {app_root}/config/config.default.js
exports.geetest = {
geetest_id: '',
geetest_key: '',
};
// {app_root}/app/router.js
// api添加geetest拦截校验,errorMsg[可选项]为自定义错误返回值,校验错误默认返回{ code: -1, error }
router.post('/a', app.middleware.geetest(app[, errorMsg]), controller.home.a);
// geetest注册
this.ctx.geetest.register(data, callback);
// geetest校验
this.ctx.geetest.validate(fallback, result, callback)
// 前端注册初始化geetest,cb为callback,传人校验成功发送的真正请求
function registerInitGT(cb) {
API.registerGT().then(res => {
window.initGeetest({
// 以下 4 个配置参数为必须,不能缺少
gt: res.gt,
challenge: res.challenge,
offline: !res.success, // 表示用户后台检测极验服务器是否宕机
new_captcha: res.new_captcha, // 用于宕机时表示是新验证码的宕机
product: "bind", // 产品形式,包括:float,popup
width: "300px"
// 更多配置参数说明请参见:http://docs.geetest.com/install/client/web-front/
}, (captchaObj) => {
this.captchaObj = captchaObj;
captchaObj.onReady(() => {
captchaObj.verify();
}).onSuccess(() => {
const result = captchaObj.getValidate();
if (result){
cb(result);
}
});
});
})
}
// 发送校验码
function confirmSendCode(gt) {
const { geetest_challenge, geetest_validate, geetest_seccode } = gt;
API.getCaptcha(email, {
geetest_challenge,
geetest_validate,
geetest_seccode
}).then(res => {
})
}
// 使用
registerInitGT(confirmSendCode)
Please open an issue here.
FAQs
egg geetest3 plugin
The npm package egg-gt3 receives a total of 3 weekly downloads. As such, egg-gt3 popularity was classified as not popular.
We found that egg-gt3 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.