Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
.. image:: https://img.shields.io/pypi/v/scrapy-splash.svg :target: https://pypi.python.org/pypi/scrapy-splash :alt: PyPI Version
.. image:: https://github.com/scrapy-plugins/scrapy-splash/workflows/Tests/badge.svg :target: https://github.com/scrapy-plugins/scrapy-splash/actions/workflows/tests.yml :alt: Test Status
.. image:: http://codecov.io/github/scrapy-plugins/scrapy-splash/coverage.svg?branch=master :target: http://codecov.io/github/scrapy-plugins/scrapy-splash?branch=master :alt: Code Coverage
This library provides Scrapy_ and JavaScript integration using Splash_. The license is BSD 3-clause.
.. _Scrapy: https://github.com/scrapy/scrapy .. _Splash: https://github.com/scrapinghub/splash
Install scrapy-splash using pip::
$ pip install scrapy-splash
Scrapy-Splash uses Splash_ HTTP API, so you also need a Splash instance. Usually to install & run Splash, something like this is enough::
$ docker run -p 8050:8050 scrapinghub/splash
Check Splash install docs
_ for more info.
.. _install docs: http://splash.readthedocs.org/en/latest/install.html
Add the Splash server address to settings.py
of your Scrapy project
like this::
SPLASH_URL = 'http://192.168.59.103:8050'
Enable the Splash middleware by adding it to DOWNLOADER_MIDDLEWARES
in your settings.py
file and changing HttpCompressionMiddleware
priority::
DOWNLOADER_MIDDLEWARES = { 'scrapy_splash.SplashCookiesMiddleware': 723, 'scrapy_splash.SplashMiddleware': 725, 'scrapy.downloadermiddlewares.httpcompression.HttpCompressionMiddleware': 810, }
Order 723
is just before HttpProxyMiddleware
(750) in default
scrapy settings.
HttpCompressionMiddleware priority should be changed in order to allow advanced response processing; see https://github.com/scrapy/scrapy/issues/1895 for details.
Enable SplashDeduplicateArgsMiddleware
by adding it to
SPIDER_MIDDLEWARES
in your settings.py
::
SPIDER_MIDDLEWARES = { 'scrapy_splash.SplashDeduplicateArgsMiddleware': 100, }
This middleware is needed to support cache_args
feature; it allows
to save disk space by not storing duplicate Splash arguments multiple
times in a disk request queue. If Splash 2.1+ is used the middleware
also allows to save network traffic by not sending these duplicate
arguments to Splash server multiple times.
Set a custom DUPEFILTER_CLASS
::
DUPEFILTER_CLASS = 'scrapy_splash.SplashAwareDupeFilter'
If you use Scrapy HTTP cache then a custom cache storage backend
is required. scrapy-splash provides a subclass of
scrapy.contrib.httpcache.FilesystemCacheStorage
::
HTTPCACHE_STORAGE = 'scrapy_splash.SplashAwareFSCacheStorage'
If you use other cache storage then it is necesary to subclass it and
replace all scrapy.util.request.request_fingerprint
calls with
scrapy_splash.splash_request_fingerprint
.
.. note::
Steps (4) and (5) are necessary because Scrapy doesn't provide a way
to override request fingerprints calculation algorithm globally; this
could change in future.
There are also some additional options available.
Put them into your settings.py
if you want to change the defaults:
SPLASH_COOKIES_DEBUG
is False
by default.
Set to True
to enable debugging cookies in the SplashCookiesMiddleware
.
This option is similar to COOKIES_DEBUG
for the built-in scarpy cookies middleware: it logs sent and received cookies
for all requests.SPLASH_LOG_400
is True
by default - it instructs to log all 400 errors
from Splash. They are important because they show errors occurred
when executing the Splash script. Set it to False
to disable this logging.SPLASH_SLOT_POLICY
is scrapy_splash.SlotPolicy.PER_DOMAIN
(as object, not just a string) by default.
It specifies how concurrency & politeness are maintained for Splash requests,
and specify the default value for slot_policy
argument for
SplashRequest
, which is described below.The easiest way to render requests with Splash is to
use scrapy_splash.SplashRequest
::
yield SplashRequest(url, self.parse_result,
args={
# optional; parameters passed to Splash HTTP API
'wait': 0.5,
# 'url' is prefilled from request url
# 'http_method' is set to 'POST' for POST requests
# 'body' is set to request body for POST requests
},
endpoint='render.json', # optional; default is render.html
splash_url='<url>', # optional; overrides SPLASH_URL
slot_policy=scrapy_splash.SlotPolicy.PER_DOMAIN, # optional
)
Alternatively, you can use regular scrapy.Request and
'splash'
Request meta
key::
yield scrapy.Request(url, self.parse_result, meta={
'splash': {
'args': {
# set rendering arguments here
'html': 1,
'png': 1,
# 'url' is prefilled from request url
# 'http_method' is set to 'POST' for POST requests
# 'body' is set to request body for POST requests
},
# optional parameters
'endpoint': 'render.json', # optional; default is render.json
'splash_url': '<url>', # optional; overrides SPLASH_URL
'slot_policy': scrapy_splash.SlotPolicy.PER_DOMAIN,
'splash_headers': {}, # optional; a dict with headers sent to Splash
'dont_process_response': True, # optional, default is False
'dont_send_headers': True, # optional, default is False
'magic_response': False, # optional, default is True
}
})
Use request.meta['splash']
API in middlewares or when scrapy.Request
subclasses are used (there is also SplashFormRequest
described below).
For example, meta['splash']
allows to create a middleware which enables
Splash for all outgoing requests by default.
SplashRequest
is a convenient utility to fill request.meta['splash']
;
it should be easier to use in most cases. For each request.meta['splash']
key there is a corresponding SplashRequest
keyword argument: for example,
to set meta['splash']['args']
use SplashRequest(..., args=myargs)
.
meta['splash']['args']
contains arguments sent to Splash.
scrapy-splash adds some default keys/values to args
:
You can override default values by setting them explicitly.
Note that by default Scrapy escapes URL fragments using AJAX escaping scheme.
If you want to pass a URL with a fragment to Splash then set url
in args
dict manually. This is handled automatically if you use
SplashRequest
, but you need to keep that in mind if you use raw
meta['splash']
API.
Splash 1.8+ is required to handle POST requests; in earlier Splash versions
'http_method' and 'body' arguments are ignored. If you work with /execute
endpoint and want to support POST requests you have to handle
http_method
and body
arguments in your Lua script manually.
meta['splash']['cache_args']
is a list of argument names to cache
on Splash side. These arguments are sent to Splash only once, then cached
values are used; it allows to save network traffic and decreases request
queue disk memory usage. Use cache_args
only for large arguments
which don't change with each request; lua_source
is a good candidate
(if you don't use string formatting to build it). Splash 2.1+ is required
for this feature to work.
meta['splash']['endpoint']
is the Splash endpoint to use.
In case of SplashRequest
render.html <http://splash.readthedocs.org/en/latest/api.html#render-html>
_
is used by default. If you're using raw scrapy.Request then
render.json <http://splash.readthedocs.org/en/latest/api.html#render-json>
_
is a default (for historical reasons). It is better to always pass endpoint
explicitly.
See Splash HTTP API docs
_ for a full list of available endpoints
and parameters.
.. _HTTP API docs: http://splash.readthedocs.org/en/latest/api.html
meta['splash']['splash_url']
overrides the Splash URL set
in settings.py
.
meta['splash']['splash_headers']
allows to add or change headers
which are sent to Splash server. Note that this option is not for
setting headers which are sent to the remote website.
meta['splash']['slot_policy']
customize how
concurrency & politeness are maintained for Splash requests.
Currently there are 3 policies available:
scrapy_splash.SlotPolicy.PER_DOMAIN
(default) - send Splash requests to
downloader slots based on URL being rendered. It is useful if you want
to maintain per-domain politeness & concurrency settings.
scrapy_splash.SlotPolicy.SINGLE_SLOT
- send all Splash requests to
a single downloader slot. It is useful if you want to throttle requests
to Splash.
scrapy_splash.SlotPolicy.SCRAPY_DEFAULT
- don't do anything with slots.
It is similar to SINGLE_SLOT
policy, but can be different if you access
other services on the same address as Splash.
meta['splash']['dont_process_response']
- when set to True,
SplashMiddleware won't change the response to a custom scrapy.Response
subclass. By default for Splash requests one of SplashResponse,
SplashTextResponse or SplashJsonResponse is passed to the callback.
meta['splash']['dont_send_headers']
: by default scrapy-splash passes
request headers to Splash in 'headers' JSON POST field. For all render.xxx
endpoints it means Scrapy header options are respected by default
(http://splash.readthedocs.org/en/stable/api.html#arg-headers). In Lua
scripts you can use headers
argument of splash:go
to apply the
passed headers: splash:go{url, headers=splash.args.headers}
.
Set 'dont_send_headers' to True if you don't want to pass headers
to Splash.
meta['splash']['http_status_from_error_code']
- set response.status
to HTTP error code when assert(splash:go(..))
fails; it requires
meta['splash']['magic_response']=True
. http_status_from_error_code
option is False by default if you use raw meta API;
SplashRequest sets it to True by default.
meta['splash']['magic_response']
- when set to True and a JSON
response is received from Splash, several attributes of the response
(headers, body, url, status code) are filled using data returned in JSON:
meta['splash']['http_status_from_error_code']
is True
and assert(splash:go(..))
fails with an HTTP error
response.status is also set to HTTP error code.Original URL, status and headers are available as response.real_url
,
response.splash_response_status
and response.splash_response_headers
.
This option is set to True by default if you use SplashRequest.
render.json
and execute
endpoints may not have all the necessary
keys/values in the response.
For non-JSON endpoints, only url is filled, regardless of the
magic_response
setting.
Use scrapy_splash.SplashFormRequest
if you want to make a FormRequest
via splash. It accepts the same arguments as SplashRequest
,
and also formdata
, like FormRequest
from scrapy::
>>> SplashFormRequest('http://example.com', formdata={'foo': 'bar'})
<POST http://example.com>
SplashFormRequest.from_response
is also supported, and works as described
in scrapy documentation <http://scrapy.readthedocs.org/en/latest/topics/request-response.html#scrapy.http.FormRequest.from_response>
_.
scrapy-splash returns Response subclasses for Splash requests:
To use standard Response classes set meta['splash']['dont_process_response']=True
or pass dont_process_response=True
argument to SplashRequest.
All these responses set response.url
to the URL of the original request
(i.e. to the URL of a website you want to render), not to the URL of the
requested Splash endpoint. "True" URL is still available as
response.real_url
.
SplashJsonResponse provide extra features:
response.data
attribute contains response data decoded from JSON;
you can access it like response.data['html']
.
If Splash session handling is configured, you can access current cookies
as response.cookiejar
; it is a CookieJar instance.
If Scrapy-Splash response magic is enabled in request (default), several response attributes (headers, body, url, status code) are set automatically from original response body:
When response.body
is updated in SplashJsonResponse
(either from 'html' or from 'body' keys) familiar response.css
and response.xpath
methods are available.
To turn off special handling of JSON result keys either set
meta['splash']['magic_response']=False
or pass magic_response=False
argument to SplashRequest.
Splash itself is stateless - each request starts from a clean state. In order to support sessions the following is required:
For (2) and (3) Splash provides splash:get_cookies()
and
splash:init_cookies()
methods which can be used in Splash Lua scripts.
scrapy-splash provides helpers for (1) and (4): to send current cookies
in 'cookies' field and merge cookies back from 'cookies' response field
set request.meta['splash']['session_id']
to the session
identifier. If you only want a single session use the same session_id
for
all request; any value like '1' or 'foo' is fine.
For scrapy-splash session handling to work you must use /execute
endpoint
and a Lua script which accepts 'cookies' argument and returns 'cookies'
field in the result::
function main(splash) splash:init_cookies(splash.args.cookies)
-- ... your script
return {
cookies = splash:get_cookies(),
-- ... other results, e.g. html
}
end
SplashRequest sets session_id
automatically for /execute
endpoint,
i.e. cookie handling is enabled by default if you use SplashRequest,
/execute
endpoint and a compatible Lua rendering script.
If you want to start from the same set of cookies, but then 'fork' sessions
set request.meta['splash']['new_session_id']
in addition to
session_id
. Request cookies will be fetched from cookiejar session_id
,
but response cookies will be merged back to the new_session_id
cookiejar.
Standard Scrapy cookies
argument can be used with SplashRequest
to add cookies to the current Splash cookiejar.
Get HTML contents::
import scrapy
from scrapy_splash import SplashRequest
class MySpider(scrapy.Spider):
start_urls = ["http://example.com", "http://example.com/foo"]
def start_requests(self):
for url in self.start_urls:
yield SplashRequest(url, self.parse, args={'wait': 0.5})
def parse(self, response):
# response.body is a result of render.html call; it
# contains HTML processed by a browser.
# ...
Get HTML contents and a screenshot::
import json
import base64
import scrapy
from scrapy_splash import SplashRequest
class MySpider(scrapy.Spider):
# ...
splash_args = {
'html': 1,
'png': 1,
'width': 600,
'render_all': 1,
}
yield SplashRequest(url, self.parse_result, endpoint='render.json',
args=splash_args)
# ...
def parse_result(self, response):
# magic responses are turned ON by default,
# so the result under 'html' key is available as response.body
html = response.body
# you can also query the html result as usual
title = response.css('title').extract_first()
# full decoded JSON data is available as response.data:
png_bytes = base64.b64decode(response.data['png'])
# ...
Run a simple Splash Lua Script
_::
import json
import base64
from scrapy_splash import SplashRequest
class MySpider(scrapy.Spider):
# ...
script = """
function main(splash)
assert(splash:go(splash.args.url))
return splash:evaljs("document.title")
end
"""
yield SplashRequest(url, self.parse_result, endpoint='execute',
args={'lua_source': script})
# ...
def parse_result(self, response):
doc_title = response.text
# ...
More complex Splash Lua Script
_ example - get a screenshot of an HTML
element by its CSS selector (it requires Splash 2.1+).
Note how are arguments passed to the script::
import json
import base64
from scrapy_splash import SplashRequest
script = """
-- Arguments:
-- * url - URL to render;
-- * css - CSS selector to render;
-- * pad - screenshot padding size.
-- this function adds padding around region
function pad(r, pad)
return {r[1]-pad, r[2]-pad, r[3]+pad, r[4]+pad}
end
-- main script
function main(splash)
-- this function returns element bounding box
local get_bbox = splash:jsfunc([[
function(css) {
var el = document.querySelector(css);
var r = el.getBoundingClientRect();
return [r.left, r.top, r.right, r.bottom];
}
]])
assert(splash:go(splash.args.url))
assert(splash:wait(0.5))
-- don't crop image by a viewport
splash:set_viewport_full()
local region = pad(get_bbox(splash.args.css), splash.args.pad)
return splash:png{region=region}
end
"""
class MySpider(scrapy.Spider):
# ...
yield SplashRequest(url, self.parse_element_screenshot,
endpoint='execute',
args={
'lua_source': script,
'pad': 32,
'css': 'a.title'
}
)
# ...
def parse_element_screenshot(self, response):
image_data = response.body # binary image data in PNG format
# ...
Use a Lua script to get an HTML response with cookies, headers, body
and method set to correct values; lua_source
argument value is cached
on Splash server and is not sent with each request (it requires Splash 2.1+)::
import scrapy
from scrapy_splash import SplashRequest
script = """
function main(splash)
splash:init_cookies(splash.args.cookies)
assert(splash:go{
splash.args.url,
headers=splash.args.headers,
http_method=splash.args.http_method,
body=splash.args.body,
})
assert(splash:wait(0.5))
local entries = splash:history()
local last_response = entries[#entries].response
return {
url = splash:url(),
headers = last_response.headers,
http_status = last_response.status,
cookies = splash:get_cookies(),
html = splash:html(),
}
end
"""
class MySpider(scrapy.Spider):
# ...
yield SplashRequest(url, self.parse_result,
endpoint='execute',
cache_args=['lua_source'],
args={'lua_source': script},
headers={'X-My-Header': 'value'},
)
def parse_result(self, response):
# here response.body contains result HTML;
# response.headers are filled with headers from last
# web page loaded to Splash;
# cookies from all responses and from JavaScript are collected
# and put into Set-Cookie response header, so that Scrapy
# can remember them.
.. _Splash Lua Script: http://splash.readthedocs.org/en/latest/scripting-tutorial.html
If you need to use HTTP Basic Authentication to access Splash, use the
SPLASH_USER
and SPLASH_PASS
optional settings::
SPLASH_USER = 'user'
SPLASH_PASS = 'userpass'
Another option is meta['splash']['splash_headers']
: it allows to set
custom headers which are sent to Splash server; add Authorization header
to splash_headers
if you want to change credentials per-request::
import scrapy
from w3lib.http import basic_auth_header
class MySpider(scrapy.Spider):
# ...
def start_requests(self):
auth = basic_auth_header('user', 'userpass')
yield SplashRequest(url, self.parse,
splash_headers={'Authorization': auth})
WARNING: Don't use HttpAuthMiddleware
_
(i.e. http_user
/ http_pass
spider attributes) for Splash
authentication: if you occasionally send a non-Splash request from your spider,
you may expose Splash credentials to a remote website, as HttpAuthMiddleware
sets credentials for all requests unconditionally.
.. _HttpAuthMiddleware: http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth
The obvious alternative to scrapy-splash would be to send requests directly
to the Splash HTTP API
_. Take a look at the example below and make
sure to read the observations after it::
import json
import scrapy
from scrapy.http.headers import Headers
RENDER_HTML_URL = "http://127.0.0.1:8050/render.html"
class MySpider(scrapy.Spider):
start_urls = ["http://example.com", "http://example.com/foo"]
def start_requests(self):
for url in self.start_urls:
body = json.dumps({"url": url, "wait": 0.5}, sort_keys=True)
headers = Headers({'Content-Type': 'application/json'})
yield scrapy.Request(RENDER_HTML_URL, self.parse, method="POST",
body=body, headers=headers)
def parse(self, response):
# response.body is a result of render.html call; it
# contains HTML processed by a browser.
# ...
It works and is easy enough, but there are some issues that you should be aware of:
There is a bit of boilerplate.
As seen by Scrapy, we're sending requests to RENDER_HTML_URL
instead
of the target URLs. It affects concurrency and politeness settings:
CONCURRENT_REQUESTS_PER_DOMAIN
, DOWNLOAD_DELAY
, etc could behave
in unexpected ways since delays and concurrency settings are no longer
per-domain.
As seen by Scrapy, response.url is an URL of the Splash server.
scrapy-splash fixes it to be an URL of a requested page.
"Real" URL is still available as response.real_url
. scrapy-splash also
allows to handle response.status
and response.headers
transparently
on Scrapy side.
Some options depend on each other - for example, if you use timeout_
Splash option then you may want to set download_timeout
scrapy.Request meta key as well.
It is easy to get it subtly wrong - e.g. if you won't use
sort_keys=True
argument when preparing JSON body then binary POST body
content could vary even if all keys and values are the same, and it means
dupefilter and cache will work incorrectly.
Default Scrapy duplication filter doesn't take Splash specifics in account. For example, if an URL is sent in a JSON POST request body Scrapy will compute request fingerprint without canonicalizing this URL.
Splash Bad Request (HTTP 400) errors are hard to debug because by default
response content is not displayed by Scrapy. SplashMiddleware logs content
of HTTP 400 Splash responses by default (it can be turned off by setting
SPLASH_LOG_400 = False
option).
Cookie handling is tedious to implement, and you can't use Scrapy built-in Cookie middleware to handle cookies when working with Splash.
Large Splash arguments which don't change with every request
(e.g. lua_source
) may take a lot of space when saved to Scrapy disk
request queues. scrapy-splash
provides a way to store such static
parameters only once.
Splash 2.1+ provides a way to save network traffic by caching large
static arguments on server, but it requires client support: client should
send proper save_args
and load_args
values and handle HTTP 498
responses.
scrapy-splash utlities allow to handle such edge cases and reduce the boilerplate.
.. _HTTP API: http://splash.readthedocs.org/en/latest/api.html .. _timeout: http://splash.readthedocs.org/en/latest/api.html#arg-timeout
Splash FAQ
_" pagereporting Scrapy bugs
_" pageBest approach to get any other help is to ask a question on Stack Overflow
_
.. _reporting Scrapy bugs: https://doc.scrapy.org/en/master/contributing.html#reporting-bugs .. _Splash FAQ: http://splash.readthedocs.io/en/stable/faq.html#website-is-not-rendered-correctly .. _Stack Overflow: https://stackoverflow.com/questions/tagged/scrapy-splash?sort=frequent&pageSize=15&mixed=1
Source code and bug tracker are on github: https://github.com/scrapy-plugins/scrapy-splash
To run tests, install "tox" Python package and then run tox
command
from the source checkout.
To run integration tests, start Splash and set SPLASH_URL env variable
to Splash address before running tox
command::
docker run -d --rm -p8050:8050 scrapinghub/splash:3.0 SPLASH_URL=http://127.0.0.1:8050 tox -e py36
Removed official support for Python 2.7, 3.4, 3.5 and 3.6, and added official support for Python 3.9, 3.10 and 3.11.
Deprecated SplashJsonResponse.body_as_unicode()
, to be replaced by
SplashJsonResponse.text
.
Removed calls to obsolete to_native_str
, removed in Scrapy 2.8.
Security bug fix:
If you use HttpAuthMiddleware_ (i.e. the http_user
and http_pass
spider attributes) for Splash authentication, any non-Splash request will
expose your credentials to the request target. This includes robots.txt
requests sent by Scrapy when the ROBOTSTXT_OBEY
setting is set to
True
.
Use the new SPLASH_USER
and SPLASH_PASS
settings instead to set
your Splash authentication credentials safely.
.. _HttpAuthMiddleware: http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth
Responses now expose the HTTP status code and headers from Splash as
response.splash_response_status
and
response.splash_response_headers
(#158)
The meta
argument passed to the scrapy_splash.request.SplashRequest
constructor is no longer modified (#164)
Website responses with 400 or 498 as HTTP status code are no longer handled as the equivalent Splash responses (#158)
Cookies are no longer sent to Splash itself (#156)
scrapy_splash.utils.dict_hash
now also works with obj=None
(225793b
)
Our test suite now includes integration tests (#156) and tests can be run
in parallel (6fb8c41
)
There’s a new ‘Getting help’ section in the README.rst
file (#161,
#162), the documentation about SPLASH_SLOT_POLICY
has been improved
(#157) and a typo as been fixed (#121)
Made some internal improvements (ee5000d
, 25de545
, 2aaa79d
)
SPLASH_COOKIES_DEBUG
setting allows to log cookies
sent and received to/from Splash in cookies
request/response fields.
It is similar to Scrapy's builtin COOKIES_DEBUG
, but works for
Splash requests;SplashAwareDupeFilter
and splash_request_fingerprint
are improved:
they now canonicalize URLs and take URL fragments in account;cache_args
value fingerprints are now calculated faster.cache_args
SplashRequest argument and
request.meta['splash']['cache_args']
key allow to save network traffic
and disk storage by not storing duplicate Splash arguments in disk request
queues and not sending them to Splash multiple times. This feature requires
Splash 2.1+.To upgrade from v0.4 enable SplashDeduplicateArgsMiddleware
in settings.py::
SPIDER_MIDDLEWARES = { 'scrapy_splash.SplashDeduplicateArgsMiddleware': 100, }
Package is renamed from scrapyjs
to scrapy-splash
.
An easiest way to upgrade is to replace scrapyjs
imports with
scrapy_splash
and update settings.py
with new defaults
(check the README).
There are many new helpers to handle JavaScript rendering transparently;
the recommended way is now to use scrapy_splash.SplashRequest
instead
of request.meta['splash']
. Please make sure to read the README if
you're upgrading from scrapyjs - you may be able to drop some code from your
project, especially if you want to access response html, handle cookies
and headers.
response.data
.SplashRequest.__repr__
shows both requested URL
and Splash URL;Fixed fingerprint calculation for non-string meta values.
Initial release
FAQs
JavaScript support for Scrapy using Splash
We found that scrapy-splash demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.