Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Utility methods for parsing Lightning Network BOLT 11 payment requests, as well as encoding unsigned requests and signing payment requests.
Assemble a signed payment request
{
destination: <Destination Public Key Hex String>
hrp: <Request Human Readable Part String>
signature: <Request Hash Signature Hex String>
tags: [<Request Tag Word Number>]
}
@throws
<Error>
@returns
{
request: <BOLT 11 Encoded Payment Request String>
}
Example:
const {createSignedRequest} = require('invoices');
// Get hrp and signature from createUnsignedRequest
// Get signature via standard private key signing, or LND signBytes
const {request} = createSignedRequest({
destination: nodePublicKey,
hrp: amountAndNetworkHrp,
signature: signedPreimageHash,
tags: paymentRequestTags,
});
Create an unsigned payment request
{
[chain_addresses]: [<Chain Address String>]
[cltv_delta]: <CLTV Delta Number>
[created_at]: <Invoice Creation Date ISO 8601 String>
[description]: <Description String>
[description_hash]: <Description Hash Hex String>
destination: <Public Key String>
[expires_at]: <ISO 8601 Date String>
features: [{
bit: <BOLT 09 Feature Bit Number>
}]
id: <Preimage SHA256 Hash Hex String>
[mtokens]: <Requested Milli-Tokens Value String> (can exceed Number limit)
network: <Network Name String>
[payment]: <Payment Identifier Hex String>
[routes]: [[{
[base_fee_mtokens]: <Base Fee Millitokens String>
[channel]: <Standard Format Channel Id String>
[cltv_delta]: <Final CLTV Expiration Blocks Delta Number>
[fee_rate]: <Fee Rate Millitokens Per Million Number>
public_key: <Forward Edge Public Key Hex String>
}]]
[tokens]: <Requested Chain Tokens Number> (note: can differ from mtokens)
}
@returns
{
hash: <Payment Request Signature Hash Hex String>
hrp: <Human Readable Part of Payment Request String>
preimage: <Signature Hash Preimage Hex String>
tags: [<Data Tag Number>]
}
Example:
const {createUnsignedRequest} = require('invoices');
const unsignedComponents = createUnsignedRequest({
destination: nodePublicKey,
id: rHashHexString,
network: 'bitcoin',
});
// Use createSignedRequest and a signature to create a complete request
Parse a BOLT 11 payment request into its component data
Note: either description or description_hash will be returned
{
request: <BOLT 11 Payment Request String>
}
@throws
<Error>
@returns
{
[chain_addresses]: [<Chain Address String>]
cltv_delta: <CLTV Delta Number>
created_at: <Invoice Creation Date ISO 8601 String>
[description]: <Description String>
[description_hash]: <Description Hash Hex String>
destination: <Public Key String>
expires_at: <ISO 8601 Date String>
features: [{
bit: <BOLT 09 Feature Bit Number>
is_required: <Feature Support is Required To Pay Bool>
type: <Feature Type String>
}]
id: <Payment Request Hash String>
is_expired: <Invoice is Expired Bool>
[mtokens]: <Requested Milli-Tokens Value String> (can exceed Number limit)
network: <Network Name String>
[payment]: <Payment Identifier Hex Encoded String>
[routes]: [[{
[base_fee_mtokens]: <Base Fee Millitokens String>
[channel]: <Standard Format Channel Id String>
[cltv_delta]: <Final CLTV Expiration Blocks Delta Number>
[fee_rate]: <Fee Rate Millitokens Per Million Number>
public_key: <Forward Edge Public Key Hex String>
}]]
[safe_tokens]: <Requested Chain Tokens Rounded Up Number>
[tokens]: <Requested Chain Tokens Number> (note: can differ from mtokens)
}
const {parsePaymentRequest} = require('invoices');
// Decoded details of the payment request
const requestDetails = parsePaymentRequest({request: 'paymentRequestString'});
FAQs
Methods for working with BOLT 11 payment requests
The npm package invoices receives a total of 3,812 weekly downloads. As such, invoices popularity was classified as popular.
We found that invoices demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.