Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Node-monitor is a library for remote monitoring and control of your Node.js app servers.
Like JMX in the Java world, node-monitor comes with a handful of general monitors, and allows you to create custom monitors for your application.
These monitors can be scripted using JavaScript, or placed onto a dashboard.
Run the following from your app server directory
$ npm install monitor
Then place the following line in your application bootstrap, and restart your server
require('monitor').start();
Ad-hoc monitoring can be done from a REPL console.
Start up the REPL, and get the Monitor class. Feel free to copy/paste these lines into your console:
$ node
> var Monitor = require('monitor');
undefined
Now connect a monitor to a probe on your app server. There are a handful of built-in probes, and you can build custom probes for your application or npm module.
For this example, we'll monitor the Process probe:
> var processMonitor = new Monitor({probeClass:'Process'});
> processMonitor.connect();
The monitor is a Backbone.js data model so it updates in real time, and you can get all fields with toJSON():
> processMonitor.get('freemem');
86368256
> processMonitor.get('freemem');
80044032
> processMonitor.toJSON();
...
As the monitor changes, it emits change events:
> processMonitor.on('change', function() {
... console.log(processMonitor.get('freemem'));
... });
Using Node.js as a scripting language, you can write custom monitors that do anything Node.js can do. Here's an example that prints to the console when free memory falls below a threshold.
Save this file to low-memory-warn.js, and run node low-memory-warn
// Low memory warning monitor
var Monitor = require('monitor');
var LOW_MEMORY_THRESHOLD = 100000000;
// Set the probe to push changes every 10 seconds
var options = {
hostName: 'localhost',
probeClass: 'Process',
initParams: {
pollInterval: 10000
}
}
var processMonitor = new Monitor(options);
// Attach the change listener
processMonitor.on('change', function() {
var freemem = processMonitor.get('freemem');
if (freemem < LOW_MEMORY_THRESHOLD) {
console.log('Low memory warning: ' + freemem);
}
});
// Now connect the monitor
processMonitor.connect(function(error) {
if (error) {
console.error('Error connecting with the process probe: ', error);
process.exit(1);
}
});
The above script runs just as well within an html <script>
tag as on the server. For example, change the var Monitor = require('monitor');
line to something like this:
<script src="/path/to/monitor/dist/monitor-all.min.js"></script>
The browser distribution included in node-monitor exports a single variable Monitor
to the global namespace, and it can be used just like the Monitor
variable in var Monitor = require('monitor')
.
Your browser will probably have to be pointing to localhost or behind your firewall in order to connect with the app server on the configured monitor port. See Security Concerns below.
The monitor-dashboard application lets you visualize your monitors in a dashboard.
$ npm install monitor-dashboard
$ npm start monitor-dashboard
Exposing the internals of your app server is a high security risk. By default, the server listens on port 42000 and will connect with localhost clients only.
In order to monitor across machines, the default configuration must be changed to listen beyond localhost. Before doing this, it is recommended to understand the risks and have external measures in place to prevent unauthorized access.
See notes in the config/external.js
file for more information.
May be freely distributed under the MIT license
See the LICENSE file.
Copyright (c) 2010-2014 Loren West
FAQs
Runtime monitoring for node.js applications
The npm package monitor receives a total of 252 weekly downloads. As such, monitor popularity was classified as not popular.
We found that monitor demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.