Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
What if you could talk to anyone in the world through your terminal or shell? Add to it a beautiful console, emoji support and end to end encryption. No need for web browsers. No need for servers or databases. This is the magic of p2p and this lightweight tool harvests the potential of p2p by helping you create global chatrooms or join existing rooms. Connect with anyone around the world in seconds.
npm i -g pikapo
If you get an error regarding node-pre-gyp
you will need to perform this additional step
npm i -g node-pre-gyp
Once installed you could use pikapo
or pk
command to interact with the tool.
There are just two options:
Host a chatroom. Fill in the room name, shared passkey, encryption algorithm and your unique alias for the room
pk host
Join a chatroom. Fill in the room name, shared passkey and your unique alias for the room
pk connect
And thats about it. Start talking!
P2P broadcast can be implemented using a full mesh network or star network. Pikapo uses start network, where the host acts as a hub and every connected peer is a spoke. There are pros and cons to both implementations. Here are the advantages gained by pikapo using start network:
Every message arriving at the hub is assigned a serial id, before being pushed into a message queue. The ids are simply whole numbers starting from 1. The id of the last arriving message is synced across peers. This helps peers detect missing messages. They then send a resend request for the message to the hub. And the hub fetches the lost message from the rolling archive and sends it back to the requesting peer.
The host maintains a rolling archive, which clears itself every 5 minutes. Every message cleared from the message queue is sent to this archive.
And here are the cons:
Once the host exits, the room self destructs in 15 seconds following a farewell from our beloved bot. The room name is released and can be recreated by another host.
As stated host is the creator, designer and destroyer.
Closes the connection and exits the room. If you are a participant, your departure will be announced to all the members. If you are the host, the room will self destruct after your departure.
A command for the host. Prints out a list of all the members in the room.
A command for the participants. Provides real time data loss percentage. The data loss may not be sustained as most lost messages arrive late or are requested from the archive. This command can still help detect connection problems. If there is an increased data loss over time, across several peers, there might be a problem with the host.
2 encryption algorithms are available : AES & RABBIT. The messages are encrypted using a 256-bit encryption key created from the shared passkey. Crypto Js handles the key creation, encryption and decryption.
Emoji support is provided by node-emoji. You can use the syntax :kiss:
to display the emojis at the receiver's end or directly insert emojis from built in panels available on many systems. Not all shells support emojis.
simple-peerjs : It uses the signal exchange mechanism of PeerJs with the WebRTC implementation of simple-peer. This library provides the foundation for p2p communication in pikapo.
FAQs
P2P chatrooms in the shell
The npm package pikapo receives a total of 0 weekly downloads. As such, pikapo popularity was classified as not popular.
We found that pikapo demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.