Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
The 'got' npm package is a human-friendly and powerful HTTP request library for Node.js. It provides an easy-to-use API for making HTTP requests and supports many features like streams, pagination, JSON parsing, and more.
Simplified HTTP requests
This feature allows you to perform HTTP GET requests with a promise-based API. The example shows how to fetch a webpage and log the HTML content.
const got = require('got');
got('https://sindresorhus.com').then(response => {
console.log(response.body);
}).catch(error => {
console.log(error.response.body);
});
JSON support
This feature automatically parses JSON responses. The example demonstrates fetching JSON data from an API and logging the parsed object.
const got = require('got');
got('https://api.example.com/data', { responseType: 'json' }).then(response => {
console.log(response.body);
}).catch(error => {
console.log(error.response.body);
});
POST requests
This feature allows you to send POST requests with JSON bodies. The example shows how to send a POST request with a JSON payload and receive a JSON response.
const got = require('got');
got.post('https://api.example.com/submit', {
json: {
key: 'value'
},
responseType: 'json'
}).then(response => {
console.log(response.body);
}).catch(error => {
console.log(error.response.body);
});
Error handling
This feature provides comprehensive error handling for various types of request failures. The example demonstrates how to handle different error scenarios when a request fails.
const got = require('got');
got('https://api.example.com/wrong-endpoint').then(response => {
console.log(response.body);
}).catch(error => {
if (error.response) {
console.log('The server responded with a non-2xx status code.');
} else if (error.request) {
console.log('The request was made but no response was received');
} else {
console.log('An error occurred when trying to perform the request.');
}
});
Stream support
This feature allows you to use got as a stream. The example shows how to stream a webpage's content and write it to a file.
const got = require('got');
const fs = require('fs');
const stream = got.stream('https://sindresorhus.com');
stream.pipe(fs.createWriteStream('index.html'));
Axios is a promise-based HTTP client for the browser and Node.js. It provides an API similar to got but also works in the browser. Axios has interceptors that allow you to transform requests and responses before they are handled by then or catch.
Request is a simplified HTTP request client that was very popular but is now deprecated. It had a callback-based API but also supported promises. Got is considered a modern alternative to Request with promise support by default.
Node-fetch is a light-weight module that brings the Fetch API to Node.js. It is a minimalistic and straightforward API that resembles the Fetch API provided by modern browsers, making it familiar to front-end developers.
Superagent is a small progressive client-side HTTP request library. It has a fluent API that allows chaining methods to configure requests, and it can be used on both server and client side. Compared to got, it has a more object-oriented style.
Simplified HTTP requests
Got is a human-friendly and powerful HTTP request library.
It was created because the popular request
package is bloated:
Got is for Node.js. For browsers, we recommend Ky.
See how Got compares to other HTTP libraries
$ npm install got
const got = require('got');
(async () => {
try {
const response = await got('sindresorhus.com');
console.log(response.body);
//=> '<!doctype html> ...'
} catch (error) {
console.log(error.response.body);
//=> 'Internal server error ...'
}
})();
const fs = require('fs');
const got = require('got');
got.stream('sindresorhus.com').pipe(fs.createWriteStream('index.html'));
// For POST, PUT, and PATCH methods `got.stream` returns a `stream.Writable`
fs.createReadStream('index.html').pipe(got.stream.post('sindresorhus.com'));
It's a GET
request by default, but can be changed by using different methods or in the options
.
Returns a Promise for a response
object or a stream if options.stream
is set to true.
Type: string
Object
The URL to request, as a string, a https.request
options object, or a WHATWG URL
.
Properties from options
will override properties in the parsed url
.
If no protocol is specified, it will default to https
.
Type: Object
Any of the https.request
options.
Type: string
Object
When specified, url
will be prepended by baseUrl
.
If you specify an absolute URL, it will skip the baseUrl
.
Very useful when used with got.extend()
to create niche-specific Got instances.
Can be a string or a WHATWG URL
.
Slash at the end of baseUrl
and at the beginning of the url
argument is optional:
await got('hello', {baseUrl: 'https://example.com/v1'});
//=> 'https://example.com/v1/hello'
await got('/hello', {baseUrl: 'https://example.com/v1/'});
//=> 'https://example.com/v1/hello'
await got('/hello', {baseUrl: 'https://example.com/v1'});
//=> 'https://example.com/v1/hello'
Type: Object
Default: {}
Request headers.
Existing headers will be overwritten. Headers set to null
will be omitted.
Type: boolean
Default: false
Returns a Stream
instead of a Promise
. This is equivalent to calling got.stream(url, [options])
.
Type: string
Buffer
stream.Readable
form-data
instance
If you provide this option, got.stream()
will be read-only.
The body that will be sent with a POST
request.
If present in options
and options.method
is not set, options.method
will be set to POST
.
The content-length
header will be automatically set if body
is a string
/ Buffer
/ fs.createReadStream
instance / form-data
instance, and content-length
and transfer-encoding
are not manually set in options.headers
.
Type: tough.CookieJar
instance
Cookie support. You don't have to care about parsing or how to store them. Example.
Note: options.headers.cookie
will be overridden.
Type: string
null
Default: 'utf8'
Encoding to be used on setEncoding
of the response data. If null
, the body is returned as a Buffer
(binary data).
Type: boolean
Default: false
If you provide this option, got.stream()
will be read-only.
If set to true
and Content-Type
header is not set, it will be set to application/x-www-form-urlencoded
.
body
must be a plain object. It will be converted to a query string using (new URLSearchParams(object)).toString()
.
Type: boolean
Default: false
If you use got.stream()
, this option will be ignored.
If set to true
and Content-Type
header is not set, it will be set to application/json
.
Parse response body with JSON.parse
and set accept
header to application/json
. If used in conjunction with the form
option, the body
will the stringified as querystring and the response parsed as JSON.
body
must be a plain object or array and will be stringified.
Type: string
Object<string, string|number>
URLSearchParams
Query string that will be added to the request URL. This will override the query string in url
.
If you need to pass in an array, you can do it using a URLSearchParams
instance:
const got = require('got');
const query = new URLSearchParams([['key', 'a'], ['key', 'b']]);
got('https://example.com', {query});
console.log(query.toString());
//=> 'key=a&key=b'
And if you need a different array format, you could use the query-string
package:
const got = require('got');
const queryString = require('query-string');
const query = queryString.stringify({key: ['a', 'b']}, {arrayFormat: 'bracket'});
got('https://example.com', {query});
console.log(query);
//=> 'key[]=a&key[]=b'
Type: number
Object
Milliseconds to wait for the server to end the response before aborting the request with got.TimeoutError
error (a.k.a. request
property). By default, there's no timeout.
This also accepts an object
with the following fields to constrain the duration of each phase of the request lifecycle:
lookup
starts when a socket is assigned and ends when the hostname has been resolved. Does not apply when using a Unix domain socket.connect
starts when lookup
completes (or when the socket is assigned if lookup does not apply to the request) and ends when the socket is connected.secureConnect
starts when connect
completes and ends when the handshaking process completes (HTTPS only).socket
starts when the socket is connected. See request.setTimeout.response
starts when the request has been written to the socket and ends when the response headers are received.send
starts when the socket is connected and ends with the request has been written to the socket.request
starts when the request is initiated and ends when the response's end event fires.Type: number
Object
Default:
2
GET
PUT
HEAD
DELETE
OPTIONS
TRACE
408
413
429
500
502
503
504
undefined
An object representing retries
, methods
, statusCodes
and maxRetryAfter
fields for the time until retry, allowed methods, allowed status codes and maximum Retry-After
time.
If maxRetryAfter
is set to undefined
, it will use options.timeout
.
If Retry-After
header is greater than maxRetryAfter
, it will cancel the request.
Delays between retries counts with function 1000 * Math.pow(2, retry) + Math.random() * 100
, where retry
is attempt number (starts from 0).
The retries
property can be a number
or a function
with retry
and error
arguments. The function must return a delay in milliseconds (0
return value cancels retry).
Note: It retries only on the specified methods, status codes, and on these network errors:
ETIMEDOUT
: One of the timeout limits were reached.ECONNRESET
: Connection was forcibly closed by a peer.EADDRINUSE
: Could not bind to any free port.ECONNREFUSED
: Connection was refused by the server.EPIPE
: The remote side of the stream being written has been closed.Type: boolean
Default: true
Defines if redirect responses should be followed automatically.
Note that if a 303
is sent by the server in response to any request type (POST
, DELETE
, etc.), Got will automatically request the resource pointed to in the location header via GET
. This is in accordance with the spec.
Type: boolean
Default: true
Decompress the response automatically. This will set the accept-encoding
header to gzip, deflate
unless you set it yourself.
If this is disabled, a compressed response is returned as a Buffer
. This may be useful if you want to handle decompression yourself or stream the raw compressed data.
Type: Object
Default: false
Cache adapter instance for storing cached data.
Type: Function
Default: http.request
https.request
(depending on the protocol)
Custom request function. The main purpose of this is to support HTTP2 using a wrapper.
Type: boolean
Default: false
When used in Electron, Got will use electron.net
instead of the Node.js http
module. According to the Electron docs, it should be fully compatible, but it's not entirely. See #443 and #461.
Type: boolean
Default: true
Determines if a got.HTTPError
is thrown for error responses (non-2xx status codes).
If this is disabled, requests that encounter an error status code will be resolved with the response
instead of throwing. This may be useful if you are checking for resource availability and are expecting error responses.
Same as the agent
option for http.request
, but with an extra feature:
If you require different agents for different protocols, you can pass a map of agents to the agent
option. This is necessary because a request to one protocol might redirect to another. In such a scenario, Got will switch over to the right protocol agent for you.
const got = require('got');
const HttpAgent = require('agentkeepalive');
const {HttpsAgent} = HttpAgent;
got('sindresorhus.com', {
agent: {
http: new HttpAgent(),
https: new HttpsAgent()
}
});
Type: Object<string, Function[]>
Hooks allow modifications during the request lifecycle. Hook functions may be async and are run serially.
Type: Function[]
Default: []
Called with normalized request options. Got will make no further changes to the request before it is sent. This is especially useful in conjunction with got.extend()
and got.create()
when you want to create an API client that, for example, uses HMAC-signing.
See the AWS section for an example.
Note: If you modify the body
you will need to modify the content-length
header too, because it has already been computed and assigned.
Type: Function[]
Default: []
Called with normalized request options. Got will make no further changes to the request. This is especially useful when you want to avoid dead sites. Example:
const got = require('got');
got('example.com', {
hooks: {
beforeRedirect: [
options => {
if (options.hostname === 'deadSite') {
options.hostname = 'fallbackSite';
}
}
]
}
});
Type: Function[]
Default: []
Called with normalized request options, the error and the retry count. Got will make no further changes to the request. This is especially useful when some extra work is required before the next try. Example:
const got = require('got');
got('example.com', {
hooks: {
beforeRetry: [
(options, error, retryCount) => {
if (error.statusCode === 413) { // Payload too large
options.body = getNewBody();
}
}
]
}
});
Type: Function[]
Default: []
Called with response object and a retry function.
Each function should return the response. This is especially useful when you want to refresh an access token. Example:
const got = require('got');
const instance = got.extend({
hooks: {
afterResponse: [
(response, retryWithMergedOptions) => {
if (response.statusCode === 401) { // Unauthorized
const updatedOptions = {
headers: {
token: getNewToken() // Refresh the access token
}
};
// Save for further requests
instance.defaults.options = got.mergeOptions(instance.defaults.options, updatedOptions);
// Make a new retry
return retryWithMergedOptions(updatedOptions);
}
// No changes otherwise
return response;
}
]
},
mutableDefaults: true
});
The response object will typically be a Node.js HTTP response stream, however, if returned from the cache it will be a response-like object which behaves in the same way.
Type: string
Object
(depending on options.json
)
The result of the request.
Type: string
The request URL or the final URL after redirects.
Type: string
The original request URL.
Type: Object
The object contains the following properties:
start
- Time when the request started.socket
- Time when a socket was assigned to the request.lookup
- Time when the DNS lookup finished.connect
- Time when the socket successfully connected.upload
- Time when the request finished uploading.response
- Time when the request fired the response
event.end
- Time when the response fired the end
event.error
- Time when the request fired the error
event.phases
wait
- timings.socket - timings.start
dns
- timings.lookup - timings.socket
tcp
- timings.connect - timings.lookup
request
- timings.upload - timings.connect
firstByte
- timings.response - timings.upload
download
- timings.end - timings.response
total
- timings.end - timings.start
or timings.error - timings.start
Note: The time is a number
representing the milliseconds elapsed since the UNIX epoch.
Type: boolean
Whether the response was retrieved from the cache.
Type: Array
The redirect URLs.
Type: number
The number of times the request was retried.
Note: Progress events, redirect events and request/response events can also be used with promises.
Sets options.stream
to true
.
Returns a duplex stream with additional events:
request
event to get the request object of the request.
Tip: You can use request
event to abort request:
got.stream('github.com')
.on('request', request => setTimeout(() => request.abort(), 50));
The response
event to get the response object of the final request.
The redirect
event to get the response object of a redirect. The second argument is options for the next request to the redirect location.
Progress events for uploading (sending a request) and downloading (receiving a response). The progress
argument is an object like:
{
percent: 0.1,
transferred: 1024,
total: 10240
}
If it's not possible to retrieve the body size (can happen when streaming), total
will be null
.
(async () => {
const response = await got('sindresorhus.com')
.on('downloadProgress', progress => {
// Report download progress
})
.on('uploadProgress', progress => {
// Report upload progress
});
console.log(response);
})();
The error
event emitted in case of a protocol error (like ENOTFOUND
etc.) or status error (4xx or 5xx). The second argument is the body of the server response in case of status error. The third argument is a response object.
Sets options.method
to the method name and makes a request.
Configure a new got
instance with default options
. The options
are merged with the parent instance's defaults.options
using got.mergeOptions
. You can access the resolved options with the .defaults
property on the instance.
const client = got.extend({
baseUrl: 'https://example.com',
headers: {
'x-unicorn': 'rainbow'
}
});
client.get('/demo');
/* HTTP Request =>
* GET /demo HTTP/1.1
* Host: example.com
* x-unicorn: rainbow
*/
(async () => {
const client = got.extend({
baseUrl: 'httpbin.org',
headers: {
'x-foo': 'bar'
}
});
const {headers} = (await client.get('/headers', {json: true})).body;
//=> headers['x-foo'] === 'bar'
const jsonClient = client.extend({
json: true,
headers: {
'x-baz': 'qux'
}
});
const {headers: headers2} = (await jsonClient.get('/headers')).body;
//=> headers2['x-foo'] === 'bar'
//=> headers2['x-baz'] === 'qux'
})();
Need more control over the behavior of Got? Check out the got.create()
.
Extends parent options. Avoid using object spread as it doesn't work recursively:
const a = {headers: {cat: 'meow', wolf: ['bark', 'wrrr']}};
const b = {headers: {cow: 'moo', wolf: ['auuu']}};
{...a, ...b} // => {headers: {cow: 'moo', wolf: ['auuu']}}
got.mergeOptions(a, b) // => {headers: {cat: 'meow', cow: 'moo', wolf: ['auuu']}}
Options are deeply merged to a new object. The value of each key is determined as follows:
undefined
, it keeps the old one.URL
and the new value is a string
or URL
, a new URL instance is created: new URL(new, parent)
.Object
:
Object
too, both values are merged recursively into a new Object
.Array
, it overwrites the old one with a deep clone of the new property.Type: Object
The default Got options.
Each error contains (if available) body
, statusCode
, statusMessage
, host
, hostname
, method
, path
, protocol
and url
properties to make debugging easier.
In Promise mode, the response
is attached to the error.
When a cache method fails, for example, if the database goes down or there's a filesystem error.
When a request fails. Contains a code
property with error class code, like ECONNREFUSED
.
When reading from response stream fails.
When json
option is enabled, server response code is 2xx, and JSON.parse
fails.
When the server response code is not 2xx. Includes statusCode
, statusMessage
, and redirectUrls
properties.
When the server redirects you more than ten times. Includes a redirectUrls
property, which is an array of the URLs Got was redirected to before giving up.
When given an unsupported protocol.
When the request is aborted with .cancel()
.
When the request is aborted due to a timeout
The promise returned by Got has a .cancel()
method which when called, aborts the request.
(async () => {
const request = got(url, options);
// …
// In another part of the code
if (something) {
request.cancel();
}
// …
try {
await request;
} catch (error) {
if (request.isCanceled) { // Or `error instanceof got.CancelError`
// Handle cancelation
}
// Handle other errors
}
})();
Got implements RFC 7234 compliant HTTP caching which works out of the box in-memory and is easily pluggable with a wide range of storage adapters. Fresh cache entries are served directly from the cache, and stale cache entries are revalidated with If-None-Match
/If-Modified-Since
headers. You can read more about the underlying cache behavior in the cacheable-request
documentation.
You can use the JavaScript Map
type as an in-memory cache:
const got = require('got');
const map = new Map();
(async () => {
let response = await got('sindresorhus.com', {cache: map});
console.log(response.fromCache);
//=> false
response = await got('sindresorhus.com', {cache: map});
console.log(response.fromCache);
//=> true
})();
Got uses Keyv internally to support a wide range of storage adapters. For something more scalable you could use an official Keyv storage adapter:
$ npm install @keyv/redis
const got = require('got');
const KeyvRedis = require('@keyv/redis');
const redis = new KeyvRedis('redis://user:pass@localhost:6379');
got('sindresorhus.com', {cache: redis});
Got supports anything that follows the Map API, so it's easy to write your own storage adapter or use a third-party solution.
For example, the following are all valid storage adapters:
const storageAdapter = new Map();
// Or
const storageAdapter = require('./my-storage-adapter');
// Or
const QuickLRU = require('quick-lru');
const storageAdapter = new QuickLRU({maxSize: 1000});
got('sindresorhus.com', {cache: storageAdapter});
View the Keyv docs for more information on how to use storage adapters.
You can use the tunnel
package with the agent
option to work with proxies:
const got = require('got');
const tunnel = require('tunnel');
got('sindresorhus.com', {
agent: tunnel.httpOverHttp({
proxy: {
host: 'localhost'
}
})
});
Check out global-tunnel
if you want to configure proxy support for all HTTP/HTTPS traffic in your app.
You can use the tough-cookie
package:
const got = require('got');
const {CookieJar} = require('tough-cookie');
const cookieJar = new CookieJar();
cookieJar.setCookie('foo=bar', 'https://www.google.com');
got('google.com', {cookieJar});
You can use the form-data
package to create POST request with form data:
const fs = require('fs');
const got = require('got');
const FormData = require('form-data');
const form = new FormData();
form.append('my_file', fs.createReadStream('/foo/bar.jpg'));
got.post('google.com', {
body: form
});
You can use the oauth-1.0a
package to create a signed OAuth request:
const got = require('got');
const crypto = require('crypto');
const OAuth = require('oauth-1.0a');
const oauth = OAuth({
consumer: {
key: process.env.CONSUMER_KEY,
secret: process.env.CONSUMER_SECRET
},
signature_method: 'HMAC-SHA1',
hash_function: (baseString, key) => crypto.createHmac('sha1', key).update(baseString).digest('base64')
});
const token = {
key: process.env.ACCESS_TOKEN,
secret: process.env.ACCESS_TOKEN_SECRET
};
const url = 'https://api.twitter.com/1.1/statuses/home_timeline.json';
got(url, {
headers: oauth.toHeader(oauth.authorize({url, method: 'GET'}, token)),
json: true
});
Requests can also be sent via unix domain sockets. Use the following URL scheme: PROTOCOL://unix:SOCKET:PATH
.
PROTOCOL
- http
or https
(optional)SOCKET
- Absolute path to a unix domain socket, for example: /var/run/docker.sock
PATH
- Request path, for example: /v2/keys
got('http://unix:/var/run/docker.sock:/containers/json');
// Or without protocol (HTTP by default)
got('unix:/var/run/docker.sock:/containers/json');
Requests to AWS services need to have their headers signed. This can be accomplished by using the aws4
package. This is an example for querying an "API Gateway" with a signed request.
const AWS = require('aws-sdk');
const aws4 = require('aws4');
const got = require('got');
const chain = new AWS.CredentialProviderChain();
// Create a Got instance to use relative paths and signed requests
const awsClient = got.extend({
baseUrl: 'https://<api-id>.execute-api.<api-region>.amazonaws.com/<stage>/',
hooks: {
beforeRequest: [
async options => {
const credentials = await chain.resolvePromise();
aws4.sign(options, credentials);
}
]
}
});
const response = await awsClient('endpoint/path', {
// Request-specific options
});
You can test your requests by using the nock
package to mock an endpoint:
const got = require('got');
const nock = require('nock');
nock('https://sindresorhus.com')
.get('/')
.reply(200, 'Hello world!');
(async () => {
const response = await got('sindresorhus.com');
console.log(response.body);
//=> 'Hello world!'
})();
If you need real integration tests you can use create-test-server
:
const got = require('got');
const createTestServer = require('create-test-server');
(async () => {
const server = await createTestServer();
server.get('/', 'Hello world!');
const response = await got(server.url);
console.log(response.body);
//=> 'Hello world!'
await server.close();
})();
It's a good idea to set the 'user-agent'
header so the provider can more easily see how their resource is used. By default, it's the URL to this repo. You can omit this header by setting it to null
.
const got = require('got');
const pkg = require('./package.json');
got('sindresorhus.com', {
headers: {
'user-agent': `my-package/${pkg.version} (https://github.com/username/my-package)`
}
});
got('sindresorhus.com', {
headers: {
'user-agent': null
}
});
Bear in mind; if you send an if-modified-since
header and receive a 304 Not Modified
response, the body will be empty. It's your responsibility to cache and retrieve the body contents.
Use got.extend()
to make it nicer to work with REST APIs. Especially if you use the baseUrl
option.
Note: Not to be confused with got.create()
, which has no defaults.
const got = require('got');
const pkg = require('./package.json');
const custom = got.extend({
baseUrl: 'example.com',
json: true,
headers: {
'user-agent': `my-package/${pkg.version} (https://github.com/username/my-package)`
}
});
// Use `custom` exactly how you use `got`
(async () => {
const list = await custom('/v1/users/list');
})();
Need to merge some instances into a single one? Check out got.mergeInstances()
.
Got provides an experimental support for HTTP2 using the http2-wrapper
package:
const got = require('got');
const {request} = require('http2-wrapper');
const h2got = got.extend({request});
(async () => {
const {body} = await h2got('https://nghttp2.org/httpbin/headers');
console.log(body);
})();
got | request | node-fetch | axios | |
---|---|---|---|---|
HTTP/2 support | ❔ | ✖ | ✖ | ✖ |
Browser support | ✖ | ✖ | ✔* | ✔ |
Electron support | ✔ | ✖ | ✖ | ✖ |
Promise API | ✔ | ✔ | ✔ | ✔ |
Stream API | ✔ | ✔ | Node.js only | ✖ |
Request cancelation | ✔ | ✖ | ✖ | ✔ |
RFC compliant caching | ✔ | ✖ | ✖ | ✖ |
Cookies (out-of-box) | ✔ | ✔ | ✖ | ✖ |
Follows redirects | ✔ | ✔ | ✔ | ✔ |
Retries on failure | ✔ | ✖ | ✖ | ✖ |
Progress events | ✔ | ✖ | ✖ | Browser only |
Handles gzip/deflate | ✔ | ✔ | ✔ | ✔ |
Advanced timeouts | ✔ | ✖ | ✖ | ✖ |
Timings | ✔ | ✔ | ✖ | ✖ |
Errors with metadata | ✔ | ✖ | ✖ | ✔ |
JSON mode | ✔ | ✔ | ✖ | ✔ |
Custom defaults | ✔ | ✔ | ✖ | ✔ |
Composable | ✔ | ✖ | ✖ | ✖ |
Hooks | ✔ | ✖ | ✖ | ✔ |
Issues open | ||||
Issues closed | ||||
Downloads | ||||
Coverage | ||||
Build | ||||
Bugs | ||||
Dependents | ||||
Install size |
* It's almost API compatible with the browser fetch
API.
❔ Experimental support.
Sindre Sorhus | Vsevolod Strukchinsky | Alexander Tesfamichael | Luke Childs | Szymon Marczak | Brandon Smith |
MIT
FAQs
Human-friendly and powerful HTTP request library for Node.js
The npm package got receives a total of 18,760,920 weekly downloads. As such, got popularity was classified as popular.
We found that got demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.