Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
mute-stream
Advanced tools
The mute-stream package is a Node.js module that allows you to mute and unmute writable streams, such as process.stdout or any other stream. This can be particularly useful for hiding user input during password prompts or suppressing output for clean logging.
Muting and unmuting a stream
This feature allows you to mute the output of a stream so that data written to it does not appear on the terminal or the piped destination. You can then unmute the stream to resume normal output.
const MuteStream = require('mute-stream');
const ms = new MuteStream();
ms.pipe(process.stdout);
ms.write('This will be displayed.');
ms.mute();
ms.write('This will not be displayed.');
ms.unmute();
ms.write('This will be displayed again.');
Muting and unmuting with a boolean
This feature provides an alternative way to mute and unmute the stream by passing a boolean value to the mute method.
const MuteStream = require('mute-stream');
const ms = new MuteStream();
ms.pipe(process.stdout);
ms.mute(true);
ms.write('This will not be displayed.');
ms.mute(false);
ms.write('This will be displayed.');
Setting up a prompt with muted input
This feature is useful for creating command-line prompts where you want to hide the user's input, such as password fields.
const MuteStream = require('mute-stream');
const readline = require('readline');
const ms = new MuteStream();
ms.pipe(process.stdout);
const rl = readline.createInterface({
input: process.stdin,
output: ms
});
rl.question('Enter your password: ', (password) => {
ms.mute();
console.log(`Your password is: ${password}`);
rl.close();
});
The readline-sync package provides synchronous Readline for interactively running to have a conversation with the user via a console(TTY). It can also hide user input on the console, similar to what mute-stream does, but it is designed for synchronous operations and does not require streams to work.
This package is an npm registry client that suppresses output unless there is an error. It is similar to mute-stream in that it controls the visibility of output, but it is specifically tailored for interactions with the npm registry.
Bytes go in, but they don't come out (when muted).
This is a basic pass-through stream, but when muted, the bytes are silently dropped, rather than being passed through.
const MuteStream = require('mute-stream')
const ms = new MuteStream(options)
ms.pipe(process.stdout)
ms.write('foo') // writes 'foo' to stdout
ms.mute()
ms.write('bar') // does not write 'bar'
ms.unmute()
ms.write('baz') // writes 'baz' to stdout
// can also be used to mute incoming data
const ms = new MuteStream()
input.pipe(ms)
ms.on('data', function (c) {
console.log('data: ' + c)
})
input.emit('data', 'foo') // logs 'foo'
ms.mute()
input.emit('data', 'bar') // does not log 'bar'
ms.unmute()
input.emit('data', 'baz') // logs 'baz'
All options are optional.
replace
Set to a string to replace each character with the
specified string when muted. (So you can show ****
instead of the
password, for example.)
prompt
If you are using a replacement char, and also using a
prompt with a readline stream (as for a Password: *****
input),
then specify what the prompt is so that backspace will work
properly. Otherwise, pressing backspace will overwrite the prompt
with the replacement character, which is weird.
Set muted
to true
. Turns .write()
into a no-op.
Set muted
to false
True if the pipe destination is a TTY, or if the incoming pipe source is a TTY.
The other standard readable and writable stream methods are all available. The MuteStream object acts as a facade to its pipe source and destination.
FAQs
Bytes go in, but they don't come out (when muted).
The npm package mute-stream receives a total of 20,225,489 weekly downloads. As such, mute-stream popularity was classified as popular.
We found that mute-stream demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.