Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
scraper-instagram
Advanced tools
Scrape data from Instagram without applying for the authenticated API.
From npm
yarn add scraper-instagram
or
npm i scraper-instagram --save
const Insta = require('scraper-instagram');
const InstaClient = new Insta();
Authentication allows you to access private profile as long as you follow them.
Ctrl
+ Shift
+ I
)sessionid
cookie value
application
tabstorage
tabInstaClient.authBySessionID(yourSessionID)
.then(account => console.log(account))
.catch(err => console.error(err));
If authentication is successfull, you'll get the form data from accounts/edit
:
{
"first_name": "",
"last_name": "",
"email": "",
"is_email_confirmed": true,
"is_phone_confirmed": true,
"username": "",
"phone_number": "",
"gender": 1,
"birthday": null,
"biography": "",
"external_url": "",
"chaining_enabled": true,
"presence_disabled": false,
"business_account": false,
"usertag_review_enabled": false
}
If your session ID is invalid, you'll get the 401
error.
Username/password authentication may be supported in the future.
These methods allows you to get specific elements from Instagram while you know exactly what you're looking for.
get
may return errors in the two following cases.
406
)204
)401
)InstaClient.getProfile(username)
.then(profile => console.log(profile))
.catch(err => console.error(err));
Result
name
string - public full namepic
url - public profile picturebio
string - public biography
website
url - public website
private
boolean - account private stateaccess
boolean - access to the profile's feed
verified
boolean - account verified statefollowers
integer - number of users following this profilefollowing
integer - number of users this profile followsposts
integer - number of posts this profile publishedlastPosts
array of posts - last posts
[]
) when the profile doesn't have any post but null
if access
is false
(denied).link
url - link to the profile's pagebusiness
string - business category (when applicable and profile unblocked)user
object - user relevant properties (while authenticated) :
mutualFollowers
array of usernames - people following you and this profileblocking
boolean - you blocked this profileblocked
boolean - this profile blocked you (only available property in user
while true
)requesting
boolean - you sent a follow request to this profile (if private)requested
boolean - this profile sent you a follow request (if yours is private)following
boolean - you're following this profilefollowed
boolean - this profile follows youTBA : story
InstaClient.getHashtag(hashtag)
.then(hashtag => console.log(hashtag))
.catch(err => console.error(err));
Result
pic
url - hashtag profile pic (can't find out how it is chosen)posts
integer - number of posts containing this hashtagfeaturedPosts
array of posts - featured posts published with this hashtag
lastPosts
array of posts - last posts published with this hashtag
link
url - link to the hashtag's pageuser
object - user relevant properties (while authenticated) :
following
boolean - you subscribed to this hashtag (receiving posts in your personal feed)TBA : stories
Unfortunately, using IDs is currently the only way to get a location, at least for now.
InstaClient.getLocation(id)
.then(location => console.log(location))
.catch(err => console.error(err));
Result
pic
url - location profile picposts
integer - posts published from that locationaddress
object
street
stringzipCode
stringcity
stringlatitude
floatlongitude
floatwebsite
url - place's websitephone
string - place's contact phone numberfeaturedPosts
array of posts - featured posts published from this location
lastPosts
array of posts - last posts published from this locationlink
url - link to this location's pageThis is a subset of a real post, containing the following properties :
shortcode
string - post identifiercaption
string - post descriptioncomments
integer - number of commentslikes
integer - number of likesthumbnail
url - post thumbnail
The shortcode is the post's identifier : the link to a post is instagram.com/p/shortcode.
InstaClient.getPost(shortcode)
.then(post => console.log(post))
.catch(err => console.error(err));
Result
author
object - a subset of a profile's properties.
username
stringname
stringpic
urlverified
booleanlink
urllocation
name
stringcity
stringcontents
array of posts
type
string - post type : photo
or video
url
string - link to original post file (jpg
, mp4
, ...)type
is video
:
thumbnail
string - link to thumbnail
views
integer - number of viewstagged
array of usernames - people tagged in post contentslikes
integer - number of likescaption
string - post descriptionhashtags
array of hashtags - hashtags mentioned in post descriptionmentions
array of usernames - people mentioned in post descriptionedited
boolean - caption editedcomments
array of objects (Max 40)
user
string - comment author's usernamecontent
string - comment contenttimestamp
epochhashtags
array of hashtagsmentions
array of usernameslikes
integertimestamp
epochlink
string - link to the postInstaClient.searchProfile(query)
.then(profiles => console.log(profiles))
.catch(err => console.error(err));
Result in array : a subset of profile.
username
name
pic
private
verified
followers
user
following
InstaClient.searchHashtag(hashtag)
.then(hashtags => console.log(hashtags))
.catch(err => console.error(err));
Result in array : a subset of hashtag.
name
posts
InstaClient.searchLocation(location)
.then(locations => console.log(locations))
.catch(err => console.error(err));
Result in array : a subset of location.
id
name
address
street
city
latitude
longitude
options
object (optional)
interval
integer (optional) - time in seconds between requests. Default : 30lastPostShortcode
string (optional) - shortcode from which to begin if not the next one to be published.fullPosts
boolean (optional) - fetch full post data, additional request requiredInstaClient.subscribeUserPosts(username, (post, err) => {
if(post)
console.log(post.shortcode);
else
console.error(err);
}, {
interval,
lastPostShortcode,
fullPosts
});
InstaClient.subscribeHashtagPosts(hashtag, (post, err) => {
if(post)
console.log(post.shortcode);
else
console.error(err);
}, {
interval,
lastPostShortcode,
fullPosts
});
InstaClient.getAccountNotifications()
.then(notifications => console.log(notifications))
.catch(err => console.error(err));
Result in array : notification
id
string - Notification identifiertimestamp
epochtype
string - Notification type : like
, mention
, comment
, follow
post
shortcode
thumbnail
by
username
name
pic
content
string - Comment content (when applicable)lastNotification
string (optional) - Notification IDInstaClient.subscribeAccountNotifications(interval, lastNotification).subscribe({
next: notification => console.log(notification),
error: err => console.error(err)
});
1.0.0
(2019-03-26) • Initial release1.0.1
(2019-03-27)
1.0.2
(2019-03-27) • Added support for videos1.0.4
(2019-03-27)
1.0.5
(2019-03-27) • Added proper error for private accounts1.0.6
(2019-03-31) • Private account access doesn't require mutual follow1.0.7
(2019-04-03) • Added profile's last posts analytics #1 + more1.0.8
(2019-04-14)
id
properties1.0.9
business
property to profile (when applicable)1.0.10
(2020-01-26) • Fixed post comments on anonymous session1.0.11
(2020-04-18)
401
detection1.0.12
(2020-06-16) • Small fix & refactorFAQs
Instagram scraper without authenticated API
The npm package scraper-instagram receives a total of 156 weekly downloads. As such, scraper-instagram popularity was classified as not popular.
We found that scraper-instagram demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.