Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Execute ECMAScript code uniformly across any ECMAScript host environment. See also eshost-cli for an easy way to use this library from the command line.
Using eshost, you can create an agent (eg. a web browser or a command-line ECMAScript host) and evaluate scripts within that agent. Code running within the agent has access to the eshost runtime API which enables code to evaluate scripts, create new realms, handle errors, and so forth all without worrying about the host-specific mechanisms for these capabilities are.
eshost consists of a wrapper around the various ways of executing a host and processing its output (called an Agent) and a runtime library for host-agnostic scripts to use.
npm install eshost
Host | Supported Platforms | Download | Notes |
---|---|---|---|
node | Any | https://nodejs.org | |
ch | Any | Download or build | Chakra console host. |
d8 | Any | Build from source | v8 console host. Errors are reported on stdout. Use $.getGlobal and $.setGlobal to get and set properties of global objects in other realms. |
jsshell | Any | Download | SpiderMonkey console host. |
jsc | Mac¹ | Build from source² | |
nashorn | Any | Build from source | |
edge | Windows | Errors reported from Microsoft Edge are all of type Error. Requires Microsoft WebDriver in your path. | |
chrome | Any | Requires ChromeDriver in your path. | |
firefox | Any | Requires GeckoDriver in your path (possibly renamed to wires ). | |
safari | Mac | Requires (SafariDriver browser extension)[https://github.com/SeleniumHQ/selenium/wiki/SafariDriver]. |
/System/Library/Frameworks/JavaScriptCore.framework/Versions/A/Resources/jsc
.const esh = require('eshost');
const agent = esh.createAgent('d8', { hostPath: 'path/to/d8.exe' });
const result = await agent.evalScript(`
print(1+1);
`);
console.log(result.stdout);
An array of supported host types.
Gets an instance of a runner for a particular host type. See the table above for supported host types.
"localhost"
1337
remote
host only; the Selenium/WebDriver capabilities to request for the remote session; all specified attributes will be forwarded to the server; a listing of available attributes is available in the Selenium project's wiki; the following attributes are required:
remote
host only; URL of the WebDriver server to which commands should be issuedInitializes the host and returns a promise that is resolved once the host is initialized. Command line hosts have no initialization as a new process is started for each execution.
This is called for you if you use the createAgent factory.
Executes code
in the host using the Script goal symbol. Returns a promise for a result object.
By default, a script will run in Eshost until the realm is destroyed. For most command-line hosts, this is done automatically when the script execution queues are empty. However, browsers will remain open waiting for more code to become available. Therefore, eshost will automatically append $.destroy()
to the end of your scripts. This behavior is not correct if you are attempting to execute asynchronous code. In such cases, add async: true
to the options.
Options:
$.destroy()
on the root realm when it's finished. When false, $.destroy() is added for you.Stops the currently executing script. For a console host, this simply kills the child process. For browser hosts, it will kill the current window and create a new one.
Destroys the agent, closing any of its associated resources (eg. browser windows, child processes, etc.).
An object with the following keys:
print
).The error object is similar to the error object you get in the host itself. Namely, it has the following keys:
Tears down the agent. For browsers, this will close the browser window.
Prints str
to stdout.
A reference to the global object.
Creates a new realm, returning that realm's runtime library ($).
For example, creating two nested realms:
$sub = $.createRealm();
$subsub = $sub.createRealm();
You can also use a destroy callback that gets called when the code inside the realm calls $.destroy()
. For example:
$sub = $.createRealm({
destroy: function () {
print('destroyed!')
}
});
$sub.evalScript('$.destroy()'); // prints "destroyed!"
Options:
$.destroy()
).Creates a new script and evals code
in that realm. If an error is thrown, it will be passed to the onError callback.
Scripts are different from eval in that lexical bindings go into the global lexical contour rather than being scoped to the eval.
Destroys the realm. Note that in some hosts, $.destroy may not actually stop executing code in the realm or even destroy the realm.
Gets a global property name.
Sets a global property name to value.
This project's tests can be executed with the following command:
npm test
The above command will cause tests to be run against all supported hosts.
Executables for each host must be available on the system's PATH
environment
variable.
One or more hosts may be skipped from the test run by setting corresponding
environment variables whose name match the pattern ESHOST_SKIP_*
, where *
is the capitalized name of the host. For example, in a Unix-like system, the
following command executes the project's tests but skips JavaScriptCore and D8
tests:
ESHOST_SKIP_JSC=1 ESHOST_SKIP_D8=1 npm test
Tests for the "remote" agent can be configured to run against any arbitrary
Selenium/WebDriver configuration through the specification of the following
environment variables: ESHOST_REMOTE_BROWSERNAME
, ESHOST_REMOTE_VERSION
,
ESHOST_REMOTE_PLATFORM
. These values are used to define the host's
capabilities; see the above documentation of eshost.createAgent
for more
details. For example, in a Unix-like system, the following command executes the
project's tests in a remote instance of the Firefox web browser:
ESHOST_REMOTE_BROWSERNAME=firefox npm test
FAQs
Invoke ECMAScript scripts in any command line JS engine.
We found that eshost demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.