![Malicious npm Package Typosquats react-login-page to Deploy Keylogger](https://cdn.sanity.io/images/cgdhsj6q/production/007b21d9cf9e03ae0bb3f577d1bd59b9d715645a-1024x1024.webp?w=400&fit=max&auto=format)
Research
Security News
Malicious npm Package Typosquats react-login-page to Deploy Keylogger
Socket researchers unpack a typosquatting package with malicious code that logs keystrokes and exfiltrates sensitive data to a remote server.
slashes
Advanced tools
Readme
Add or remove backslashes (escape or unescape).
import { addSlashes, removeSlashes } from 'slashes';
addSlashes(`foo\nbar`); // "foo\\nbar"
removeSlashes(`foo\\nbar`); // "foo\nbar"
By default, addSlashes
will escape (encode) the following characters.
\b
)\f
)\n
)\r
)\t
)\v
)\0
)"
)\
)const escaped = addSlashes(`\n`); // "\\n"
The default character set are characters which cannot be used between double quotes in a JSON string.
const validJsonString = `{ "key": "${escaped}" }`;
Escape encoding can be customized using the getEscaped
option.
The following is the default, equivalent to not setting the getEscaped
option.
import { getEscapedJsonUnsafe } from 'slashes';
addSlashes('...', { getEscaped: getEscapedJsonUnsafe });
Included getEscaped
implementations:
getEscapedJsonUnsafe
- (Default) Encode characters which cannot be used between double quotes in a JSON string.getEscapedAny
- Encode ANY character to a single letter (eg. \n
) or an ES5 Unicode (eg. \u0100
) escape sequence.A custom getEscaped
receives one character (may be Unicode > 2 bytes) at a time. It can return true
to use the standard escape sequence, false
to not escape the character, or a string to provide a custom escape sequence (must begin with a backslash and be at least 2 characters long).
getEscaped(character: string): boolean | `\\${string}`
Be default, removeSlashes
will unescape (decode) all Javascript escape sequences.
// Handles letter escapes
removeSlashes(`\\n`); // "\n"
// Handles ES6 Unicode Code Point escapes
removeSlashes('\\u{a}'); // "\n"
// Handles ES5 Unicode escapes
removeSlashes('\u000a'); // "\n"
// Handles hex escapes
removeSlashes('\x0a'); // "\n"
// Handles octal escapes
removeSlashes('\12'); // "\n"
// Handles any other backslash sequence by removing the leading slash
removeSlashes(`\\a`); // "a"
Although it should generally not be necessary because all escapes are handled by default, escape decoding can be customized using the getUnescaped
option.
The following is the default, equivalent to not setting the getUnescaped
option.
import { getUnescapedAny } from 'slashes';
removeSlashes('...', { getUnescaped: getUnescapedAny });
Included getUnescaped
implementations:
getUnescapedAny
- Decode ANY Javascript supported escape sequence.A custom getUnescaped
implementation receives the escape sequence as the first argument, and the escape sequence code point number or null
(for single letter escape sequences) as the second argument. It can return true
to use the standard decoding, false
to treat the sequence as invalid (only removes the leading backslash), or a string (non-zero length) to provide a custom decoded value for the escape sequence.
getUnescaped(sequence: `\\${string}`, code: number | null): boolean | string
FAQs
Unknown package
We found that slashes demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers unpack a typosquatting package with malicious code that logs keystrokes and exfiltrates sensitive data to a remote server.
Security News
The JavaScript community has launched the e18e initiative to improve ecosystem performance by cleaning up dependency trees, speeding up critical parts of the ecosystem, and documenting lighter alternatives to established tools.
Product
Socket now supports four distinct alert actions instead of the previous two, and alert triaging allows users to override the actions taken for all individual alerts.