Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Pure JavaScript GXChain library for node.js and browsers. Can be used to construct, sign and broadcast transactions in JavaScript, and to easily obtain data from the blockchain via public apis.
Most of this code was written by jcalfee, my work was mostly just repackaging to a discrete npm package.
This library can be obtained through npm:
npm install gxbjs
Three sub-libraries are included: ECC
, Chain
and Serializer
. Generally only the ECC
and Chain
libraries need to be used directly.
This library provides utility functions to handle blockchain state as well as a login class that can be used for simple login functionality using a specific key seed.
The login class uses the following format for keys:
keySeed = accountName + role + password
Using this seed, private keys are generated for either the default roles active, owner, memo
, or as specified. A minimum password length of 12 characters is enforced, but an even longer password is recommended. Three methods are provided:
generateKeys(account, password, [roles])
checkKeys(account, password, auths)
signTransaction(tr)
The auths object should contain the auth arrays from the account object. An example is this:
{
active: [
["GPH5Abm5dCdy3hJ1C5ckXkqUH2Me7dXqi9Y7yjn9ACaiSJ9h8r8mL", 1]
]
}
If checkKeys is successful, you can use signTransaction to sign a TransactionBuilder transaction using the private keys for that account.
The Chain library contains a complete state container called the ChainStore. The ChainStore will automatically configure the set_subscribe_callback
and handle any incoming state changes appropriately. It uses Immutable.js for storing the state, so all objects are return as immutable objects. It has its own subscribe
method that can be used to register a callback that will be called whenever a state change happens.
The ChainStore has several useful methods to retrieve, among other things, objects, assets and accounts using either object ids or asset/account names. These methods are synchronous and will return undefined
to indicate fetching in progress, and null
to indicate that the object does not exist.
import {Apis} from "gxbjs-ws";
var {ChainStore} = require("gxbjs");
Apis.instance("wss://bitshares.openledger.info/ws", true).init_promise.then((res) => {
console.log("connected to:", res[0].network);
ChainStore.init().then(() => {
ChainStore.subscribe(updateState);
});
});
let dynamicGlobal = null;
function updateState(object) {
dynamicGlobal = ChainStore.getObject("2.1.0");
console.log("ChainStore object update\n", dynamicGlobal ? dynamicGlobal.toJS() : dynamicGlobal);
}
The ECC library contains all the crypto functions for private and public keys as well as transaction creation/signing.
As a quick example, here's how to generate a new private key from a seed (a brainkey for example):
var {PrivateKey, key} = require("gxbjs");
let seed = "THIS IS A TERRIBLE BRAINKEY SEED WORD SEQUENCE";
let pkey = PrivateKey.fromSeed( key.normalize_brainKey(seed) );
console.log("\nPrivate key:", pkey.toWif());
console.log("Public key :", pkey.toPublicKey().toString(), "\n");
TODO transaction signing example
npm i -g esdoc esdoc-es7-plugin
esdoc -c ./esdoc.json
open out/esdoc/index.html
FAQs
Pure JavaScript GXChain library for node.js and browsers.
The npm package gxbjs receives a total of 38 weekly downloads. As such, gxbjs popularity was classified as not popular.
We found that gxbjs demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.