Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
verida-tech-demos
Advanced tools
A tool for checking for lingering free namespaces for private package names referenced in dependency configuration for Python (pypi) `requirements.txt`, JavaScript (npm) `package.json`, PHP (composer) `composer.json` or MVN (maven) `pom.xml`.
A tool for checking for lingering free namespaces for private package names referenced in dependency configuration
for Python (pypi) requirements.txt
, JavaScript (npm) package.json
, PHP (composer) composer.json
or MVN (maven) pom.xml
.
On 9th of February 2021, a security researcher Alex Birsan published an article that touched different resolve order flaws in dependency management tools present in multiple programming language ecosystems.
Microsoft released a whitepaper describing ways to mitigate the impact, while the root cause still remains.
confused
simply reads through a dependency definition file of an application and checks the public package repositories
for each dependency entry in that file. It will proceed to report all the package names that are not found in the public
repositories - a state that implies that a package might be vulnerable to this kind of attack, while this vector has not
yet been exploited.
This however doesn't mean that an application isn't already being actively exploited. If you know your software is using private package repositories, you should ensure that the namespaces for your private packages have been claimed by a trusted party (typically yourself or your company).
Some packaging ecosystems like npm have a concept called "scopes" that can be either private or public. In short it means
a namespace that has an upper level - the scope. The scopes are not inherently visible publicly, which means that confused
cannot reliably detect if it has been claimed. If your application uses scoped package names, you should ensure that a
trusted party has claimed the scope name in the public repositories.
Download a prebuilt binary from releases page, unpack and run!
or
If you have recent go compiler installed: go get -u github.com/visma-prodsec/confused
(the same command works for updating)
or
git clone https://github.com/visma-prodsec/confused ; cd confused ; go get ; go build
Usage:
confused [-l LANGUAGENAME] depfilename.ext
Usage of confused:
-l string
Package repository system. Possible values: "pip", "npm", "composer", "mvn", "rubygems" (default "npm")
-s string
Comma-separated list of known-secure namespaces. Supports wildcards
-v Verbose output
./confused -l pip requirements.txt
Issues found, the following packages are not available in public package repositories:
[!] internal_package1
./confused -l npm package.json
Issues found, the following packages are not available in public package repositories:
[!] internal_package1
[!] @mycompany/internal_package1
[!] @mycompany/internal_package2
# Example when @mycompany private scope has been registered in npm, using -s
./confused -l npm -s '@mycompany/*' package.json
Issues found, the following packages are not available in public package repositories:
[!] internal_package1
./confused -l mvn pom.xml
Issues found, the following packages are not available in public package repositories:
[!] internal
[!] internal/package1
[!] internal/_package2
./confused -l rubygems Gemfile.lock
Issues found, the following packages are not available in public package repositories:
[!] internal
[!] internal/package1
[!] internal/_package2
FAQs
security holding package
The npm package verida-tech-demos receives a total of 1 weekly downloads. As such, verida-tech-demos popularity was classified as not popular.
We found that verida-tech-demos demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.