Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
A pure javascript secure copy program based on ssh2.
scp2 is greatly powered by ssh2, implemented the scp
in a sftp
way.
It it written in pure javascript, and should work on every OS, even Windows. Nodejs (v0.8.7 or newer) is required to make it work.
You can either use it as a library, or a program. For Windows users who miss scp on *nix world, you can get the command line now:
$ npm install scp2 -g
You will get a command line tool scp2
, and let's try:
$ scp2 -h
Get the development version from ninja channel:
$ npm install scp2@ninja
Get the client:
var client = require('scp2')
Copy a file to the server:
client.scp('file.txt', 'admin:password@example.com:/home/admin/', function(err) {
})
Copy a file to the server in another way:
client.scp('file.txt', {
host: 'example.com',
username: 'admin',
password: 'password',
path: '/home/admin/'
}, function(err) {})
Copy a file to the server and rename it:
client.scp('file.txt', 'admin:password@example.com:/home/admin/rename.txt', function(err) {
})
Copy a directory to the server:
client.scp('data/', 'admin:password@example.com:/home/admin/data/', function(err) {
})
Copy via glob pattern:
client.scp('data/*.js', 'admin:password@example.com:/home/admin/data/', function(err) {
})
Download a file from server:
client.scp('admin:password@example.com:/home/admin/file.txt', './', function(err) {
})
Download a file from server in another way:
client.scp({
host: 'example.com',
username: 'admin',
password: 'password',
path: '/home/admin/file.txt'
}, './', function(err) {})
TODO: download via glob pattern.
The get client:
var Client = require('scp2').Client;
The high level client is an instance of Client
, but it contains the high level API scp
.
defaults function({})
set the default values for the remote server.
client.defaults({
port: 22,
host: 'example.com',
username: 'admin',
privateKey: '....'
});
You can also initialize the instance with these values:
var client = new Client({
port: 22
});
More on the values at ssh2.
sftp function(callback) -> callback(err, sftp)
Get the sftp.
close function()
Close all sessions.
mkdir function(dir, [attr], callback) -> callback(err)
Make a directory on the remote server. It behaves like mdkir -p
.
write function(options, callback) -> callback(err)
Write content on the remote server.
client.write({
destination: '/home/admin/data/file.txt',
content: 'hello world'
}, callback)
The options can contain:
upload function(src, dest, callback) -> callback(err)
upload a local file to the server.
client.upload('file.txt', '/home/admin/file.txt', callback)
download function(src, dest, callback) -> callback(err)
download a server file to local.
You can listen on these events:
2013-03-05 0.1.0a1
~ ninja
2013-03-06 0.1.0a2
~ ninja
FAQs
A pure javascript scp program based on ssh2.
The npm package scp2 receives a total of 9,085 weekly downloads. As such, scp2 popularity was classified as popular.
We found that scp2 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.