Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
jscrambler
Advanced tools
Jscrambler Client for Browser and Node.js
DISCLAIMER: If you are looking for Jscrambler 3.8 or below please go to this page.
On your project:
npm i jscrambler --save-dev
Or globally:
npm i -g jscrambler
You may put your access and secret keys into a config file if found in these directories. Besides simplifying the command entry, this has the added benefit of not logging your Jscrambler credentials.
Here's an example of what your .jscramblerrc
file should look like:
{
"keys": {
"accessKey": "AAAA",
"secretKey": "SSSS"
},
"applicationId": "XXXXX",
"filesSrc": [
"/path/to/src.html",
"/path/to/src.js"
],
"filesDest": "/path/to/destDir/",
"params": [
{
"name": "stringSplitting"
}
],
"areSubscribersOrdered": false,
"jscramblerVersion": "5.1"
}
Please, replace the AAAA
, SSSS
and XXXXX
placeholders with your API credentials and Application ID.
You can also download this file through Jscrambler's application builder. More information can be found here.
npm install -g jscrambler
Usage: jscrambler [options] <file ...>
Options:
-h, --help output usage information
-V, --version output the version number
-a, --access-key <accessKey> Access key
-c, --config <config> JScrambler configuration options
-H, --host <host> Hostname
-i, --application-id <id> Application ID
-o, --output-dir <dir> Output directory
-p, --port <port> Port
--protocol <protocol> Protocol (http or https)
--cafile <path> Internal certificate authority
-C, --cwd <dir> Current Working Directory
-m, --source-maps <id> Download source maps
-R, --randomization-seed <seed> Set randomization seed
-s, --secret-key <secretKey> Secret key
-R, --randomization-seed <seed> Set randomization seed
--recommended-order <bool> Use recommended order
-W --werror Cancel protection if any file contains errors
--jscramblerVersion <version> Use a specific Jscrambler version
When making API requests you must pass valid secret and access keys, through the command line or by having a .jscramblerrc
file. These keys are each 40 characters long, alpha numeric strings, and uppercase. You can find them in your jscramber web dashboard under My Profile > API Credentials
. In the examples these are shortened to AAAA
and SSSS
for the sake of readability.
Jscrambler by default will protect your application even if errors occurred in some of your files. For example: if your app have 5 files and 1 of them has syntax errors, Jscrambler will protect the files with no errors and keep the original content in the other one.
With this flag, any error/warning will make the protection fail. There are two possible types of errors:
Syntax errors
Code
function a[] {
return
}
Output
Error: "Unexpected token [" in test.js:1
Protection failed
Errors parsing jscrambler code annotations
Code
//@jscrambler define __something
function test() {
return true;
}
test();
//@jscrambler [define xxxxx]
function test1() {
return false;
}
test1();
Output
Error: "[Annotation Error] Expected " " or [a-z]i but "_" found." in test.js:1
Error: "[Annotation Error] Expected " ", "define", "disable", "enable", "global", "order" or "target" but "[" found." in test.js:8
Error: "Parsing errors on annotations" in test.js
Protection failed
jscrambler -a AAAA -s SSSS -i APP_ID -o output.js input.js
jscrambler -a AAAA -s SSSS -i APP_ID -o output/ input1.js input2.js
jscrambler -a AAAA -s SSSS -i APP_ID -o output/ "lib/**/*.js"
jscrambler -c config.json
where config.json
is an object optionally containing any of the JScrambler options listed here, using the structure described in the RC configuration.
jscrambler --recommended-order false input1.js -o output/
To enable:
jscrambler --recommended-order true input1.js -o output/
npm install jscrambler
var jscrambler = require('jscrambler').default;
jscrambler.protectAndDownload({
keys: {
accessKey: 'YOUR_JSCRAMBLER_ACCESS_KEY',
secretKey: 'YOUR_JSCRAMBLER_SECRET_KEY'
},
host: 'api4.jscrambler.com',
port: 443,
applicationId: 'YOUR_APPLICATION_ID',
filesSrc: [
'/path/to/src/*.html',
'/path/to/src/*.js'
],
filesDest: '/path/to/destDir/',
params: [
{
'name': 'whitespaceRemoval'
},
{
'name': 'duplicateLiteralsRemoval'
}
]
})
.then(function () {
console.log('All done!');
})
.catch(function (err) {
console.error(err);
});
More detailed informations can be found here.
Please refer to docs for more information.
FAQs
Jscrambler API client.
The npm package jscrambler receives a total of 5,844 weekly downloads. As such, jscrambler popularity was classified as popular.
We found that jscrambler demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 9 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.