Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
stag-sandbox-lambda
Advanced tools
AWS Lambda wrapper for Esprima component of Stagirite "Sandboxer"
A Lambda and Amazon API Gateway wrapper around the Esprima based 'Sandboxer' in the Stagirite core.
The key module is require'd by private npm: @andynuss/stag0jsmunge
Install project:npm install
Deploy to AWS Lambda with updated code:npm run-script deploy
Get AWS Lambda info:npm run-script info
Note: to deploy to AWS, you must have credentials. Also, be sure to set default region to "us-west-2".
Note: npm run-script deploy
will tag
and push
to remote repo.
Currently, the API supports one method: a POST of a JavaScript "script"
, which will respond with the sandbox'ed result.
The API endpoint can be found at:
https://kdldbofr5a.execute-api.us-west-2.amazonaws.com/dev/sandbox-lambda
Request Body
should be of type JSON(application/json)
, in the form:
{
"script": "var a = b[c]"
}
Response Body
returns the sandbox'ed "result"
in stringify'd JSON:
{
"result": "\"//var a=b[c];\nvar a=$$_s.Get($$_w,b,c,1);\n\""
}
Note: The AWS API Gateway endpoint is currently "open", meaning that the access to the API doesn't require an auth token. This does not mean that the Lambda function code is visible/accessible on the public Internet; the AWS API Gateway hides and secures everything behind itself.
AWS API Gateway console:
https://us-west-2.console.aws.amazon.com/apigateway/home?region=us-west-2#/restapis/kdldbofr5a/resources/6kw15ioppi
The Sandboxer Lambda function itself, including monitoring and logging:
https://us-west-2.console.aws.amazon.com/lambda/home?region=us-west-2#/functions/sandbox-lambda
Notes and lessons learned:
'export'
ed function in this file MUST be called handler
or Lambda will barf.FAQs
AWS Lambda wrapper for Esprima component of Stagirite "Sandboxer"
We found that stag-sandbox-lambda demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.