
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
ZumerBox is a small set of development tools designed to run common tasks in software development workflows. It offers functionalities for linting, formatting, building, testing, and releasing projects.
ZumerBox is intended for small projects with single or small development teams. It was initially created for personal use but can be useful for sharing with other developers who want to quickly test concepts or iterate on small projects.
The idea behind ZumerBox is that it can be used out-of-the-box without any configuration. Each tool is designed to work with sensible defaults, allowing you to get started quickly without having to spend time configuring settings.
You can use the ZumerBox bundle or any of its tools without installation by running npx. See Usage for details.
ZumerBox tools are designed as wrappers for popular tools such as Jest, ESLint, StyleLint, ESbuild, Prettier, and update-changelog. They are pre-configured to be immediately usable without the need for extensive setup or configuration.
You can install ZumerBox as a bundle or each tool individually according to your preference.
To install the entire ZumerBox bundle, simply run:
npm install zumerbox --save-dev
This will install all tools included in ZumerBox.
Alternatively, you can install each tool independently. Here are the available tools:
You can install any of these tools individually using npm:
npm install @zumerbox/tool-name --save-dev
Replace tool-name with the name of the tool you want to install.
You can use any tool from ZumerBox without the need for installation by running it directly with npx. This allows for a hassle-free setup and usage. For example, to run the tests, you can use in the project root folder:
# using ZumerBox bundle
npx zumerbox tests
or
# using ZumerBox individual tool
npx @zumerbox-tests
Replace tests with the name of the tool you want to use.
Alternatively, you can integrate ZumerBox tools into your npm package scripts. For instance, you can add a script entry in your package.json file:
//package.json
{
"scripts": {
"release":"npx zumerbox release"
}
}
or with an individual tool:
//package.json
{
"scripts": {
"release":"npx @zumerbox/release"
}
}
This way, you can utilize ZumerBox seamlessly within your project's development workflow.
ZumerBox is licensed under the MIT License.
If you encounter any bugs or have suggestions for improvements, please feel free to open an issue on GitHub.
FAQs
Small set of development tools
The npm package zumerbox receives a total of 16 weekly downloads. As such, zumerbox popularity was classified as not popular.
We found that zumerbox demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.