Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
This library attempts to provide a very simple wrapper around the Zenroom (https://zenroom.dyne.org/) crypto virtual machine developed as part of the DECODE project (https://decodeproject.eu/), that aims to make the Zenroom virtual machine easier to call from normal Python code.
Zenroom itself does have good cross platform functionality, so if you are interested in finding out more about the functionalities offered by Zenroom, then please visit the website linked to above to find out more.
pip install zenroom
NOTE - the above command attempts to install the zenroom package, pulling in the Zenroom VM as a precompiled binary, so will only work on Linux and macOS machines.
for the edge (syn to the latest commit on master) version please run:
pip install zenroom --pre
The zenroom
package is just a wrapper around the zencode-exec
utility.
You also need to install zencode-exec
, you can download if from the official releases on github
When after downloading you have to move it somewhere in your path:
sudo cp zencode-exec /usr/local/bin/
Warning: on Mac OS, the executable is zencode-exec.command
and you have to symlink it to zencode-exec
sudo cp zencode-exec.command /usr/local/bin/
cd /usr/local/bin
sudo ln -s zencode-exec.command zencode-exec
Two main calls are exposed, one to run zencode
and one for zenroom scripts
.
If you don't know what zencode
is, you can start with this blogpost
https://decodeproject.eu/blog/smart-contracts-english-speaker
The official documentation is available on https://dev.zenroom.org/zencode/
A good set of examples of zencode
contracts could be found on
the wrapper exposes two simple calls:
zenroom_exec
zencode_exec
as the names suggest are the two methods to execute zenroom (lua scripts) and zencode.
Both functions accept the same arguments:
script
string the lua script or
the zencode script to be executedkeys
string the optional keys
string to pass in execution as documented in zenroom docs heredata
string the optional data
string to pass in execution as documented in zenroom docs hereconf
string the optional conf
string to pass according to zen_config hereBoth functions return the same object result ZenResult
that have two attributes:
stdout
string holds the stdout of the script executionstderr
string holds the stderr of the script executionExample usage of zencode_exec(script, keys=None, data=None, conf=None)
from zenroom import zenroom
contract = """Scenario ecdh: Create a keypair"
Given that I am known as 'identifier'
When I create the keypair
Then print my data
"""
result = zenroom.zencode_exec(contract)
print(result.output)
Example usage of zenroom_exec(script, keys=None, data=None, conf=None)
from zenroom import zenroom
script = "print('Hello world')"
result = zenroom.zenroom_exec(script)
print(result.output)
The same arguments and the same result are applied as the zencode_exec
call.
Tests are made with pytests, just run
python setup.py test
in zenroom_test.py
file you'll find more usage examples of the wrapper
Copyright (C) 2018-2022 by Dyne.org foundation, Amsterdam
Originally designed and written by Sam Mulube.
Designed, written and maintained by Puria Nafisi Azizi
Rewritten by Danilo Spinella and David Dashyan
This project is receiving funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement nr. 732546 (DECODE).Please first take a look at the Dyne.org - Contributor License Agreement then
git checkout -b feature/branch
git commit -am 'Add some fooBar'
git push origin feature/branch
gh pr create -f
Zenroom.py - a python wrapper of zenroom
Copyright (c) 2018-2022 Dyne.org foundation, Amsterdam
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
FAQs
Zenroom for Python: Bindings of Zenroom library for Python.
We found that zenroom demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.