Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
ln-service
Advanced tools
The core of this project is a gRPC interface for node.js projects, available through npm.
The project can be run alone to create a simplified REST interface on top of LND that exposes functionality to client applications.
It is recommended to not expose the REST interface directly to the dangerous internet as that gives anyone control of your node.
The service can run in two modes:
The direct GRPC mode is recommended.
https://github.com/lightningnetwork/lnd/blob/master/docs/INSTALL.md
If using Bitcoin Core, the following ~/.bitcoin/bitcoin.conf configuration is recommended:
assumevalid= // plug in the current best block hash
daemon=1
dbcache=3000
disablewallet=1
rpcpassword= // make a strong password
rpcuser=bitcoinrpc
server=1
testnet=1 // Set as applicable
zmqpubrawblock=tcp://127.0.0.1:28332
zmqpubrawtx=tcp://127.0.0.1:28333
Sample LND configuration options (~/.lnd/lnd.conf)
[Application Options]
externalip=IP
rpclisten=0.0.0.0:10009
tlsextraip=IP
[Bitcoin]
bitcoin.active=1
bitcoin.mainnet=1
bitcoin.node=bitcoind
You can install the service via npm -
$ npm install ln-service
Run base64 on the tls.cert and admin.macaroon files to get the encoded authentication data to create the LND connection. You can find these files in the LND directory. (~/.lnd or ~/Library/Application Support/Lnd)
$ base64 tls.cert
$ base64 data/chain/bitcoin/mainnet/admin.macaroon
Be careful to avoid copying any newline characters.
You can then interact with your LND node directly:
const lnService = require('ln-service');
const lnd = lnService.lightningDaemon({
cert: 'base64 encoded tls.cert',
host: 'localhost:10009',
macaroon: 'base64 encoded admin.macaroon',
});
lnService.getWalletInfo({lnd}, (error, result) => {
console.log(result);
});
Promises are also supported to allow async/await syntax
const getWalletInfo = require('ln-service/getWalletInfo');
const walletInfo = await getWalletInfo({lnd});
console.log(walletInfo.public_key);
If you are interacting with your node remotely, make sure to set:
tlsextraip=YOURIP
In the lnd.conf file for your LND, and regenerate TLS certs by deleting them.
If using a domain for your LND, use the domain option:
tlsextradomain=YOURDOMAIN
git clone https://github.com/alexbosworth/ln-service.git
cd ln-service
npm install
In NPM installed direct GRPC mode only GRPC_SSL_CIPHER_SUITES
environment
variable is needed
export GRPC_SSL_CIPHER_SUITES='HIGH+ECDSA'
In REST mode:
For convenience in REST mode, you can make a .env file with KEY=VALUE
pairs
instead of setting environment variables.
Environment variables:
export GRPC_SSL_CIPHER_SUITES='HIGH+ECDSA'
export LNSERVICE_CHAIN="bitcoin" // or litecoin
export LNSERVICE_LND_DIR='~/.lnd/'
export LNSERVICE_NETWORK="testnet" // or mainnet
export LNSERVICE_SECRET_KEY=REPLACE!WITH!SECRET!KEY!
Setting environment variables in Linux:
.bashrc
or ~/.profile
$ source ~/.bashrc
in the window you are running the service fromSetting environment variables in MacOS:
~/.bash_profile
$ . ~/.bash_profile
in the window you are running the service from$ npm start
ln-service
uses Basic Authentication currently. Make sure that the request has an authorization header that contains Base64 encoded credentials.
Basic example of an authorization header -
Authorization: Basic {{TOKEN_GOES_HERE_WITHOUT_BRACES}}
To generate the Base64 encoded credentials in Chrome for example in the console you can -
> let username = 'test';
// username can be anything.
> let password = '1m5secret4F';
// password must match the LNSERVICE_SECRET_KEY in your environment variables.
> btoa(`${username}:${password}`);
// dGVzdDoxbTVlY3JldDRG
And then set the value of the Authorization header to the returned value dGVzdDoxbTVlY3JldDRG
.
And copy the result as the token in the above example
$ npm test
btcd and lnd are required to execute the integration tests.
$ tap test/integration/*.js
FAQs
Interaction helper for your Lightning Network daemon
The npm package ln-service receives a total of 1,503 weekly downloads. As such, ln-service popularity was classified as popular.
We found that ln-service demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.