Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
scatter-js
Advanced tools
This is an importable javascript library that allows web applications to directly interface with Scatter Desktop.
This is an importable javascript library that allows web applications to directly interface with Scatter Desktop.
// ES Module style
import ScatterJS from 'scatter-js/dist/scatter.esm';
// CommonJS style
import ScatterJS from 'scatter-js/dist/scatter.cjs';
//or
const ScatterJS = require('scatter-js/dist/scatter.<SUFFIX>');
You can also just drop the scatter.min.js
bundle from the dist/
directory here right into
your html file and use it as a fully packed browser-ready package.
<script src="path/to/scatter.min.js"></script>
Coming soon.
This library catches both Scatter Desktop and Scatter Classic ( old extension ) depending on the
existence of either.
All you have to do is call scatter.connect(...)
and it will feed you back one or the other once
it connects, or time out after 5 seconds and return false in the connected
result.
ScatterJS.scatter.connect("Put_Your_App_Name_Here").then(connected => {
if(!connected) {
// User does not have Scatter Desktop or Classic installed.
return false;
}
// Use `scatter` normally now.
ScatterJS.scatter.getIdentity(...);
});
scatter-js requires that you supply an RSA key for local socket encryption to the desktop client. This key only allows your app to prove itself to Scatter Desktop. How you choose to save the key ( local storage, session, backend ) is up to you, but if it changes then it will not re-prompt the user to accept connections from your application, they will have to know to manually remove the app link and resync with your application.
It is best to serve this key deterministically.
If no getter/setter is provided then scatter-js
will use localStorage
to store a randomly generated
RSA key by default.
Getters and Setters must be promises!
let KEY = ``;
const keyGetter = () => new Promise(resolve => resolve(KEY));
const keySetter = (x) => new Promise(resolve => resolve(KEY = x));
ScatterJS.scatter.connect("Put_Your_App_Name_Here", {keyGetter, keySetter}).then(...);
{
keyGetter,
keySetter,
// You may specify a maximum timeout for checking if a user has Scatter installed
// This defaults to 10 seconds
initTimeout:10000,
// You may also specify a maximum timeout for checking if a user has accepted the app link
// inside of their Scatter desktop. This defaults to 30 seconds.
linkTimeout:30000
}
scatter-js binds to the window
reference if it notices that an application has a window
on global scope.
This is useful for <script src="...">
imports for sites without nodejs/npm, but is also semi-dangerous.
If you don't null out the window reference then extensions will be able to catch it on the window's scope and pretend to send requests from your authorized application.
The best practice is to offload the scatter reference to your own global/state variable and nullify the window ref.
setStateVariable(window.scatter);
window.scatter = null;
See the Developer Documentation to find out how to interact with Scatter and various blockchains.
Scatter sits on top of eosjs or web3, so learn to use those depending on which blockchain you are interfacing with.
FAQs
This is an importable javascript library that allows web applications to directly interface with Scatter Desktop.
The npm package scatter-js receives a total of 7 weekly downloads. As such, scatter-js popularity was classified as not popular.
We found that scatter-js demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.