Research
Malicious fezbox npm Package Steals Browser Passwords from Cookies via Innovative QR Code Steganographic Technique
A malicious package uses a QR code as steganography in an innovative technique.
By Olivia Brown - Sep 22, 2025
An ini format parser and serializer for node.
Sections are treated as nested objects. Items before the first heading are saved on the object directly.
Usage
Consider an ini-file config.ini that looks like this:
; this comment is being ignored
scope = global
[database]
user = dbuser
password = dbpassword
database = use_this_database
[paths.default]
datadir = /var/lib/data
array[] = first value
array[] = second value
array[] = third value
You can read, manipulate and write the ini-file like so:
var fs = require('fs')
, ini = require('ini')
var config = ini.parse(fs.readFileSync('./config.ini', 'utf-8'))
config.scope = 'local'
config.database.database = 'use_another_database'
config.paths.default.tmpdir = '/tmp'
delete config.paths.default.datadir
config.paths.default.array.push('fourth value')
fs.writeFileSync('./config_modified.ini', ini.stringify(config, { section: 'section' }))
This will result in a file called config_modified.ini being written
to the filesystem with the following content:
[section]
scope=local
[section.database]
user=dbuser
password=dbpassword
database=use_another_database
[section.paths.default]
tmpdir=/tmp
array[]=first value
array[]=second value
array[]=third value
array[]=fourth value
API
decode(inistring)
Decode the ini-style formatted inistring into a nested object.
parse(inistring)
Alias for decode(inistring)
encode(object, [options])
Encode the object object into an ini-style formatted string. If the
optional parameter section is given, then all top-level properties
of the object are put into this section and the section-string is
prepended to all sub-sections, see the usage example above.
The options object may contain the following:
sectionA string which will be the firstsectionin the encoded ini data. Defaults to none.whitespaceBoolean to specify whether to put whitespace around the=character. By default, whitespace is omitted, to be friendly to some persnickety old parsers that don't tolerate it well. But some find that it's more human-readable and pretty with the whitespace.
For backwards compatibility reasons, if a string options is passed
in, then it is assumed to be the section value.
stringify(object, [options])
Alias for encode(object, [options])
safe(val)
Escapes the string val such that it is safe to be used as a key or
value in an ini-file. Basically escapes quotes. For example
ini.safe('"unsafe string"')
would result in
"\"unsafe string\""
unsafe(val)
Unescapes the string val
FAQs
An ini encoder/decoder for node
We found that ini-forked demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 30 Apr 2019
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
/Security News
Identifying and Preventing Fraudulent Engineering Candidates: An Investigation into 80 Confirmed Cases
Socket identified 80 fake candidates targeting engineering roles, including suspected North Korean operators, exposing the new reality of hiring as a security function.
By Lauren Valencia, Kirill Boychenko - Sep 17, 2025
Application Security
/Research
/Security News
Updated and Ongoing Supply Chain Attack Targets CrowdStrike npm Packages
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Hulud" supply chain attack that has now impacted nearly 500 packages.
By Kush Pandya, Peter van der Zee, Olivia Brown, Socket Research Team - Sep 16, 2025