
Research
Malicious npm Packages Impersonate Flashbots SDKs, Targeting Ethereum Wallet Credentials
Four npm packages disguised as cryptographic tools steal developer credentials and send them to attacker-controlled Telegram infrastructure.
pitboss-ng
Advanced tools
Run untrusted code in a seperate process using VM2 module. With timeout and memory limit management
var Pitboss = require('pitboss-ng').Pitboss;
var untrustedCode = "var a = !true;\n a";
var sandbox = new Pitboss(untrustedCode, {
memoryLimit: 32*1024, // 32 MB memory limit (default is 64 MB)
timeout: 5*1000, // 5000 ms to perform tasks or die (default is 500 ms = 0.5 s)
heartBeatTick: 100 // interval between memory-limit checks (default is 100 ms)
});
sandbox.run({
context: { // context is an object of variables/values accessible by the untrusted code
'foo': 'bar', // context must be JSON.stringify positive
'key': 'value' // = no RegExp, Date, circular references, Buffer or more crazy things
},
libraries: {
myModule: path.join(__dirname, './my/own/module'),
// will be available as global "myModule" variable for the untrusted code
'crypto': 'crypto', // you can also require system/installed packages
'_': 'underscore' // require underscore the traditional way
}
}, function callback (err, result) {
// result is synchronous "return" of the last line in your untrusted code, here "a = !true", so false
console.log('Result is:', result); // prints "Result is: false"
sandbox.kill(); // don't forget to kill the sandbox, if you don't need it anymore
});
// OR other option: libraries can be an array of system modules
sandbox.run({
context: {}, // no data-variables are passed to context
libraries: ['console', 'lodash'] // we will be using global "lodash" & "console"
}, function callback (err, result) {
// finished, kill the sandboxed process
sandbox.kill();
});
var assert = require('chai').assert;
var Pitboss = require('pitboss-ng').Pitboss;
var code = "num = num % 5;\nnum;"
var sandbox = new Pitboss(code);
sandbox.run({context: {'num': 23}}, function (err, result) {
assert.equal(3, result);
sandbox.kill(); // sandbox is not needed anymore, so kill the sandboxed process
});
var assert = require('chai').assert;
var Pitboss = require('pitboss-ng').Pitboss;
var code = "num = num % 5;\n console.log('from sandbox: ' + num);\n num;"
var sandbox = new Pitboss(code);
sandbox.run({context: {'num': 23}, libraries: ['console']}, function (err, result) {
// will print "from sandbox: 5"
assert.equal(3, result);
sandbox.kill(); // sandbox is not needed anymore, so end it
});
var assert = require('chai').assert;
var Pitboss = require('pitboss-ng').Pitboss;
var code = "while(true) { num % 3 };";
var sandbox = new Pitboss(code, {timeout: 2000});
sandbox.run({context: {'num': 23}}, function (err, result) {
assert.equal("Timedout", err);
sandbox.kill();
});
var assert = require('chai').assert;
var Pitboss = require('pitboss-ng').Pitboss;
var code = "Not a JavaScript at all!";
var sandbox = new Pitboss(code, {timeout: 2000});
sandbox.run({context: {num: 23}}, function (err, result) {
assert.include(err, "VM Syntax Error");
assert.include(err, "Unexpected identifier");
sandbox.kill();
});
var assert = require('chai').assert;
var Pitboss = require('pitboss-ng').Pitboss;
var code = "var str = ''; while (true) { str = str + 'Memory is a finite resource!'; }";
var sandbox = new Pitboss(code, {timeout: 10000});
sandbox.run({context: {num: 23}}, function (err, result) {
assert.equal("Process failed", err);
sandbox.kill();
});
And since Pitboss-NG forks each process, ulimit kills only the runner
FAQs
Run untrusted code in a seperate process using VM2 module. With timeout and memory limit management
The npm package pitboss-ng receives a total of 462 weekly downloads. As such, pitboss-ng popularity was classified as not popular.
We found that pitboss-ng demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Four npm packages disguised as cryptographic tools steal developer credentials and send them to attacker-controlled Telegram infrastructure.
Security News
Ruby maintainers from Bundler and rbenv teams are building rv to bring Python uv's speed and unified tooling approach to Ruby development.
Security News
Following last week’s supply chain attack, Nx published findings on the GitHub Actions exploit and moved npm publishing to Trusted Publishers.