
Research
Malicious npm Packages Impersonate Flashbots SDKs, Targeting Ethereum Wallet Credentials
Four npm packages disguised as cryptographic tools steal developer credentials and send them to attacker-controlled Telegram infrastructure.
This is a Javascript/Node.js library that leverages Amazon KMS and Amazon S3 to provide a secure way to encrypt and decrypt secrets (Strings) such that your data encryption keys are stored separately and themselves encrypted by a KMS customer master key.
This is a common requirement for PCI DSS compliance - this approach has been used to pass PCI Audits by payments companies hosting on AWS.
http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
Encryption:
A request is made to S3 to retrieve an encrypted data key.
If the key DOES exist, it is retrieved and decrypted using KMS.
If the key DOES NOT exist, a new encrypted key is requested from KMS and stored in S3.
The data key is used to encrypt the secret locally. The decrypted key is only ever kept in memory for the duration of the operation.
The encrypted data is returned along with the data key name, data key version, and master key name.
Decryption:
A request is made to S3 to retrieve an encrypted data key.
The data key is decrypted using KMS.
The data key is used to decrypt the data locally. The decrypted key is only ever kept in memory for the duration of the operation.
The decrypted secret is returned.
Even if an attacker downloads your data AND your keys they cannot decrypt your data without KMS access
Create an instance providing your AWS credentials and config:
const secretkms = require('secretkms')({
accessKey: 'AKIAIMGERGY46EXAMPLE',
secretKey: 'aX45RdV0FRSPEKh44FpvCksQV8eT2aj6REXAMPLE',
masterKey: '9b64aaa7-ce47-4dac-8830-e0da1EXAMPLE',
region: 'us-east-1',
bucket: 'application-secretkms',
});
const encryptedData = await secretkms.encrypt('foo is my secret', keyName);
This returns an object:
{
"data":"uSQfQ1z0RbFbUXL/hOgRTIBlCPuotLvgByzw4BtFnQo=",
"key":{
"masterKey":"9b64aaa7-ce47-4dac-8830-e0da1EXAMPLE",
"name":"MY_DATA_KEY_NAME_EG_USER_UUID",
"version":"EZcPuxOQ9wyrSn0ROxWOIrOsToBSJ2Zw"
}
}
Note: You should store this entire object in your database as the "encrypted secret"!!!
const decryptedSecret = await secretkms.decrypt(encryptedData, keyName);
This returns an object:
{
"secret": "foo is my secret"
}
This client is written with ES 2017 features like async await.
To make it compatible to a wider audience, I have transpiled to a ES 2015 profile with Babel.
If you need to rebuild this, just run yarn install
then yarn build
.
The transpiled file and source map end up in /dist
.
As an example, a terraform file has been provided that will create the necessary IAM User, S3 bucket(s) and KMS key. To install terraform on a mac, use brew install terraform
.
Note: You will need to edit setup.tf
and include an Adminsitrator AWS ACCESS KEY and AWS SECRET KEY to allow terraform to construct resources.
To preview the infrastructure:
$ terraform plan
To create some infrastructure
$ terraform apply
The output of terraform will give you three configuration values you will need to use this client:
Outputs:
accessKey = AKIAIAU4UPRNXEXAMPLE
secretKey = 2iSBp4vfZ5Simu5yeOAbeW9X/g5wvGQc-EXAMPLE
kmsCustomerMasterKey = 300054ea-f7ad-46f9-9162-3fd83EXAMPLE
FAQs
secretkms client for storing secrets
The npm package secretkms receives a total of 23 weekly downloads. As such, secretkms popularity was classified as not popular.
We found that secretkms demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Four npm packages disguised as cryptographic tools steal developer credentials and send them to attacker-controlled Telegram infrastructure.
Security News
Ruby maintainers from Bundler and rbenv teams are building rv to bring Python uv's speed and unified tooling approach to Ruby development.
Security News
Following last week’s supply chain attack, Nx published findings on the GitHub Actions exploit and moved npm publishing to Trusted Publishers.