Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Spawn for node.js but in a way that works regardless of which OS you're using
Spawn for node.js but in a way that works regardless of which OS you're using. Use this if you want to use spawn with a JavaScript file. It works by explicitly invoking node on windows. It also shims support for environment variable setting by attempting to parse the command with a regex. Since all modification is wrapped in if (os === 'Windows_NT')
it can be safely used on non-windows systems and will not break anything.
$ npm install win-spawn
All the following will work exactly as if the 'win-spawn ' prefix was ommitted when on unix.
$ win-spawn foo
$ win-spawn ./bin/foo
$ win-spawn NODE_PATH=./lib foo
$ win-spawn NODE_PATH=./lib foo arg1 arg2
You can also transform all the line endings in a directory from \r\n
to \n
just by running:
$ win-line-endings
You can preview the changes by running:
$ win-line-endings -p
It will ignore node_modules
and .git
by default, but is not clever enough to recognise binary files yet.
This will just pass through to child_process.spawn
on unix systems, but will correctly parse the arguments on windows.
spawn('foo', [], {stdio: 'inherit'});
spawn('./bin/foo', [], {stdio: 'inherit'});
spawn('NODE_PATH=./lib foo', [], {stdio: 'inherit'});
spawn('NODE_PATH=./lib foo', [arg1, arg2], {stdio: 'inherit'});
FAQs
Spawn for node.js but in a way that works regardless of which OS you're using
The npm package win-fork receives a total of 14,417 weekly downloads. As such, win-fork popularity was classified as popular.
We found that win-fork demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.