Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The 'pkginfo' npm package allows you to retrieve information from a package.json file in a Node.js project. It is useful for accessing metadata such as the version, author, and dependencies of a package programmatically.
Retrieve package information
This feature allows you to retrieve and log the package information from the package.json file. By requiring 'pkginfo' and passing 'module' to it, the package information is attached to the module.exports object.
const pkginfo = require('pkginfo')(module);
console.log(module.exports);
Retrieve specific fields
This feature allows you to retrieve specific fields from the package.json file. In this example, only the 'version' and 'author' fields are retrieved and logged.
const pkginfo = require('pkginfo')(module, 'version', 'author');
console.log(module.exports);
The 'read-pkg' package reads the package.json file and returns its content as a JavaScript object. Unlike 'pkginfo', which attaches the information to the module.exports object, 'read-pkg' provides a more straightforward way to access the package.json content directly.
The 'pkg-up' package finds the closest package.json file by traversing up from the current directory. It is useful for locating the package.json file in a project, whereas 'pkginfo' focuses on retrieving information from a known package.json file.
The 'normalize-package-data' package normalizes package metadata, ensuring that the package.json data conforms to expected standards. While 'pkginfo' retrieves package information, 'normalize-package-data' focuses on validating and cleaning the data.
An easy way to expose properties on a module from a package.json
curl http://npmjs.org/install.sh | sh
[sudo] npm install pkginfo
How often when writing node.js modules have you written the following line(s) of code?
exports.version = '0.1.0';
exports.version = require('/path/to/package.json').version;
In other words, how often have you wanted to expose basic information from your package.json onto your module programmatically? WELL NOW YOU CAN!
Using pkginfo
is idiot-proof, just require and invoke it.
var pkginfo = require('pkginfo')(module);
console.dir(module.exports);
By invoking the pkginfo
module all of the properties in your package.json
file will be automatically exposed on the callee module (i.e. the parent module of pkginfo
).
Here's a sample of the output:
{ name: 'simple-app',
description: 'A test fixture for pkginfo',
version: '0.1.0',
author: 'Charlie Robbins <charlie.robbins@gmail.com>',
keywords: [ 'test', 'fixture' ],
main: './index.js',
scripts: { test: 'vows test/*-test.js --spec' },
engines: { node: '>= 0.4.0' } }
If you don't want to expose all properties on from your package.json
on your module then simple pass those properties to the pkginfo
function:
var pkginfo = require('pkginfo')(module, 'version', 'author');
console.dir(module.exports);
{ version: '0.1.0',
author: 'Charlie Robbins <charlie.robbins@gmail.com>' }
If you're looking for further usage see the examples included in this repository.
Tests are written in vows and give complete coverage of all APIs.
vows test/*-test.js --spec
FAQs
An easy way to expose properties on a module from a package.json
The npm package pkginfo receives a total of 1,446,519 weekly downloads. As such, pkginfo popularity was classified as popular.
We found that pkginfo demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.