![Malicious npm Package Typosquats react-login-page to Deploy Keylogger](https://cdn.sanity.io/images/cgdhsj6q/production/007b21d9cf9e03ae0bb3f577d1bd59b9d715645a-1024x1024.webp?w=400&fit=max&auto=format)
Research
Security News
Malicious npm Package Typosquats react-login-page to Deploy Keylogger
Socket researchers unpack a typosquatting package with malicious code that logs keystrokes and exfiltrates sensitive data to a remote server.
jsh
Advanced tools
Readme
jsh is a UNIX command-line shell which sits on top of both Node.js and sh, allowing you to simultaneously execute JavaScript and shell commands. It is fully compatible with Node modules, and preloads all the built-in Node modules at initialization (just like in the Node REPL), as well as any modules in ~/.jsh/node_modules, automatically converting to camel-case where necessary. Any all-caps environment variables are added to the global scope at start, and anything in the global scope is passed in as an environment variable to processes started by jsh.
In shell commands, you can use the $ character to substitute a variable from the JavaScript environment. Alternatively you can surround any JavaScript expression in brackets and precede it with a $ character to perform substitutions. Use brackets whenever your JavaScript expression contains a non-word character, like a . or " character.
jsh checks to see if the first word in an expression is an executable, or else it executes it as JavaScript, so if you have executables named "var" or "function" in your PATH, you're gonna have a bad time!
$ npm install -g jsh
$ var p = './dir';
$ if (fs.existsSync(p))
.. fs.readdirSync(p).forEach(function (v) {
.... echo $v
.... });
This will echo the filenames of all the files in ./dir
Of course, you can also execute shell commands from within JavaScript functions:
$ function moveOut (v) {
.. mv $v ../
.. console.log(v + ' has been moved to the parent directory.');
.. }
$ moveOut('file')
An example with brackets:
$ function removetxt (v) {
.. rm ${v + '.txt'}
.. }
jsh comes with full tab-completion, and you can preload JavaScript in your jsh environment by adding it to your .jshrc, in your home folder. jsh will automatically create this file the first time it is run.
You can write jsh scripts by starting a script with #!/usr/local/bin/jsh
. The .jshrc file is still executed by the VM prior to script execution, and remember that all the built-in node modules are already loaded in the environment!
ls
.split('\n')jsh now works properly in tmux (thanks nicm)
No other known bugs. jsh is still in infancy so please report any bugs you find, either here or to me personally. Reach out to me for any reason on Freenode IRC, @raypulver (I'm always on).
FAQs
Unknown package
We found that jsh demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers unpack a typosquatting package with malicious code that logs keystrokes and exfiltrates sensitive data to a remote server.
Security News
The JavaScript community has launched the e18e initiative to improve ecosystem performance by cleaning up dependency trees, speeding up critical parts of the ecosystem, and documenting lighter alternatives to established tools.
Product
Socket now supports four distinct alert actions instead of the previous two, and alert triaging allows users to override the actions taken for all individual alerts.