Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
🕖 Typed library to work 2fa via Google Authenticator/Time-based TOTP/Hmac-based HOTP
Typed library to work 2fa via Google Authenticator/Time-based TOTP/Hmac-based HOTP
npm
npm i otp-io
Yarn
yarn add otp-io
HOTP
- HMAC-based One Time Password generation method. Uses incrementing with each login counter
and secret
to generate unique 6-8 digit codes.TOTP
- Time-based, uses current time
modulo period
(seconds) as counter in HOTP
,Google Authenticator
- uses simplified version of TOTP
to generate codes. Differences:
SHA-1
hash supportGoogle Authenticator limits are defaults for this library.
// 1. Import library - use totp (code changes with time)
import { totp, generateKey, getKeyUri } from "otp-io";
// 2. Import crypto adapter. Either `crypto-node` or `crypto-web` - API is identical
import { hmac, randomBytes } from "otp-io/crypto-node";
// 3. Get key from somewhere. Or generate it
const key = generateKey(randomBytes, /* bytes: */ 20); // 5-20 good for Google Authenticator
// 4. Get key import url
const url = getKeyUri({
type: "totp",
secret,
name: "User's Username",
issuer: "Your Site Name"
});
// 5. Show it to user as QR code - send it back to client
// Get 6-digit code back from him, as confirmation of saving secret key
const input = "...";
const code = await totp(hmac, { secret });
if (code === input) {
// 6. Done. User configured your key
}
FAQs
🕖 Typed library to work 2fa via Google Authenticator/Time-based TOTP/Hmac-based HOTP
The npm package otp-io receives a total of 1,790 weekly downloads. As such, otp-io popularity was classified as popular.
We found that otp-io demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.