Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
scopetracer
Advanced tools
Modify JavaScript strings by applying mutation functions to each scope node in the AST
Modify scoped segments of JavaScript. Provide a mutating function and a filter test, and it will apply the mutator to scope blocks found in JavaScript strings.
var ScopeTracer = require("scopetracer")
var input = "// some javascript!\n\
function foo() {\n\
// In a function\n\
var abc = 'ABC'\n\
setTimeout(function () {\n\
console.log(abc)\n\
}, 10)\n\
}\n\
foo()\n"
function mutate(content) {
// We're putting things in single quotes, escape single quotes
var name = this.fnName.replace(/'/g, "\\'")
if (this.body.length === 0) {
return []
}
return [{insertion: "console.log('entering " + name + "');", pos: this.body[0].range[0]}]
}
function nodeTest() {
// Only functions, not outer enclosing scope.
return this.path.length > 0
}
var tracer = ScopeTracer(mutate, nodeTest)
var output = tracer.transform(input)
console.log(output)
/*
// some javascript!
function foo() {
// In a function
console.log('entering foo');var abc = 'ABC'
setTimeout(function () {
console.log('entering foo>setTimeout() fn argument');console.log(abc)
}, 10)
}
foo()
*/
eval(output)
/*
entering foo
entering foo>setTimeout() fn argument
ABC
*/
var scopetracer = require("scopetracer")(mutate[, nodeTest])
Creates a tracer object that can be used to transform javascript strings.
mutate(content[, extra[, ...]])
The mutate function is called with the context of this
being the scopenodes node defining this scope.
This is usually a function, though will also include the outer Program enclosing scope.
It is an Esprima AST node with a couple of additions added by scopenodes.
To mutate the content, return an array of objects defining the insertions or replacements to make.
Insertions are always safe, but it is up to you to make sure that replacements (using remove) do overlap other insertions or replacements.
[
{
insertion: "string to insert",
pos: 200, // Position to insert, relative to the Esprima "range" e.g. this.range[0]
remove: 0, // optional, how many characters to remove from content prior to inserting
pri: 0, // optional: insertion priority in case of a `pos` tie. Lower pri inserts before higher pri.
},
{
// ... return as many mutations as you like
}
]
nodeTest(content[, extra[, ...]])
The test function is called with the same context as mutate
.
It is simply expected to return true
if mutate
should be run or false
if mutate
is to be skipped for this node.
The default nodeTest if not defined is function nodeTest() { return true; }
i.e. always call mutate
.
scopetracer.transform(content[, extra[, ...]])
Extract scope nodes, then transform them according to mutate and nodeTest.
Any extra arguments will be added as arguments to mutate
and nodeTest
.
MIT
FAQs
Modify JavaScript strings by applying mutation functions to each scope node in the AST
The npm package scopetracer receives a total of 8 weekly downloads. As such, scopetracer popularity was classified as not popular.
We found that scopetracer demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.