Research
Security News
Malicious npm Package Typosquats react-login-page to Deploy Keylogger
Socket researchers unpack a typosquatting package with malicious code that logs keystrokes and exfiltrates sensitive data to a remote server.
secure-vm
Advanced tools
Readme
๐งช Experimental
vm()
based on iframe for frontend (electron, micro apps, etc).
vm()
with window
(if you don't want protection)!debugger
.babel
to implement that though).npm install secure-vm
yarn add secure-vm
pnpm install seucre-vm
<script src="https://cdn.jsdelivr.net/npm/secure-vm@latest/dist/index.global.js"></script>
<script>
const ctx = SecureVM.vm()
</script>
import { vm } from 'secure-vm'
const ctx = vm() // Create an isolated context.
ctx.console = globalThis.console
ctx.eval(`
console.log("Hello secure-vm")
`)
โฃ๏ธ This is an experimental library that may be incompatible with some old browser kernels (for example, Opera). However, it works on latest versions of Chromium, Firefox, Edge and Safari.
๐ซ Try it out by yourself: (Demo not ready)
๐ฐ Ease to useโ
To create a simple isolation, you only have to use a simple function,
๐ฝ You can bypass almost everything to your sandbox and it will work properly, for example,
|
๐ Security๐ฅฐ Feel free to add anything you want, secure-vm also fixed almost all security issues on evel, for example, Object.prototype bypass will fail.
๐ค Dynamic Maybe we can run these code by using
|
๐ค Obfuscation๐ secure-vm will automatically erase the traceback line info (if available) so hackers cannot access source code, making it harder to deobfuscate.
|
๐จ Customization๐ You can customize global objects by:
...or use our default whitelist by:
|
This project is licensed under the MIT license.
โค๏ธ
FAQs
Unknown package
We found that secure-vm demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago.ย It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers unpack a typosquatting package with malicious code that logs keystrokes and exfiltrates sensitive data to a remote server.
Security News
The JavaScript community has launched the e18e initiative to improve ecosystem performance by cleaning up dependency trees, speeding up critical parts of the ecosystem, and documenting lighter alternatives to established tools.
Product
Socket now supports four distinct alert actions instead of the previous two, and alert triaging allows users to override the actions taken for all individual alerts.