Research
Recent Trends in Malicious Packages Targeting Discord
The Socket research team breaks down a sampling of malicious packages that download and execute files, among other suspicious behaviors, targeting the popular Discord platform.
node-gyp-build
Advanced tools
Package description
The node-gyp-build package is designed to simplify the process of compiling and distributing native Node.js addons. It automatically detects the platform and architecture of the user's system and chooses the correct pre-compiled binary to use, if available. If a pre-compiled binary is not available, it falls back to building from source using node-gyp.
Loading pre-compiled binaries
This code attempts to load a pre-compiled binary for the native addon located in the same directory as the script. If a pre-compiled binary is not available for the current platform, it will attempt to compile the addon from source.
const nativeAddon = require('node-gyp-build')(__dirname)
Building from source
This code snippet demonstrates how to explicitly get the path to the correct binary and then require it. If the binary does not exist, node-gyp-build will attempt to compile the addon from source using the binding.gyp file located in the __dirname directory.
const path = require('path');
const nodeGypBuild = require('node-gyp-build');
const bindingPath = nodeGypBuild.path(__dirname);
const binding = require(bindingPath);
The prebuild package is similar to node-gyp-build in that it also focuses on handling pre-built native binaries for Node.js modules. It allows module authors to pre-compile binaries for various versions of Node.js and platforms, which can then be easily installed by end users. Compared to node-gyp-build, prebuild requires more manual setup for defining prebuild scripts and managing binary uploads and downloads.
node-pre-gyp is another tool that provides a way to publish and install Node.js C++ addons from binaries. It is similar to node-gyp-build but comes with a different set of features and a more complex configuration. node-pre-gyp allows for storing binary packages on remote servers and fetching them during installation, which can be more flexible but also more complex to set up compared to node-gyp-build.
neon-cli is a toolchain for creating native Node.js modules with Rust. While it serves a different purpose by targeting Rust instead of C++, it provides similar functionality in terms of compiling and distributing native modules. It automates the process of building and publishing Rust-based Node addons, which can be seen as an alternative approach to node-gyp-build for developers who prefer Rust over C++.
Readme
Build tool and bindings loader for node-gyp that supports prebuilds.
npm install node-gyp-build
Use together with prebuildify to easily support prebuilds for your native modules.
node-gyp-build
works similar to node-gyp build
except that it will check if a build or prebuild is present before rebuilding your project.
It's main intended use is as an npm install script and bindings loader for native modules that bundle prebuilds using prebuildify.
First add node-gyp-build
as an install script to your native project
{
...
"scripts": {
"install": "node-gyp-build"
}
}
Then in your index.js
, instead of using the bindings module use node-gyp-build
to load your binding.
var binding = require('node-gyp-build')(__dirname)
If you do these two things and bundle prebuilds prebuildify your native module will work for most platforms without having to compile on install time AND will work in both node and electron without the need to recompile between usage.
MIT
FAQs
Build tool and bindings loader for node-gyp that supports prebuilds
The npm package node-gyp-build receives a total of 7,057,352 weekly downloads. As such, node-gyp-build popularity was classified as popular.
We found that node-gyp-build demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
The Socket research team breaks down a sampling of malicious packages that download and execute files, among other suspicious behaviors, targeting the popular Discord platform.
Security News
Socket CEO Feross Aboukhadijeh joins a16z partners to discuss how modern, sophisticated supply chain attacks require AI-driven defenses and explore the challenges and solutions in leveraging AI for threat detection early in the development life cycle.
Security News
NIST's new AI Risk Management Framework aims to enhance the security and reliability of generative AI systems and address the unique challenges of malicious AI exploits.