cli
cli
cli | cli | |
---|---|---|
12 | 72 | |
99 | 8,024 | |
- | 1.1% | |
9.2 | 9.6 | |
about 15 hours ago | 2 days ago | |
Rust | JavaScript | |
GNU General Public License v3.0 only | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
cli
-
Ledger's NPM account has been hacked
Co-funder @ Phylum here (https://phylum.io) We have been actively scanning dependencies across npm (and PyPI, RubyGems, Crates.io, etc.) for nearly three years now; quite successfully, I might add (https://blog.phylum.io/tag/research/). We _automatically_ hit on this package when it was published, and our research team has been all over it.
A collective of us are active in Discord (https://discord.gg/Fe6pr5eW6p), continuing to hunt attacks like these. If that's something that interests you, we'd love to have you!
In addition to this, we've released several open source tools to help protect against supply chain attacks:
1. https://github.com/phylum-dev/birdcage - Birdcage is a cross-platform embeddable sandbox that's been baked into our CLI (which wraps npm, pypi, etc.) to sandbox package installations
2. https://github.com/phylum-dev/cli - Our CLI provides an extension capability so you can lock down random executables you might use during your software development (define _what_ it's allowed to do, e.g. network access, and then lock it down with Birdcage)
We also have a variety of integrations, including Github, Gitlab, BitBucket, CircleCI, Tines, Sophos, etc.
https://docs.phylum.io/docs/integrations_overview
It's unfortunate that software dependency attacks continue to plague open source registries. It seems unlikely this will let up in the near future. We are continuing to work closely with the open source ecosystems to try and get these sorts of packages removed when they pop up.
- A Study of Malicious Code in PyPI Ecosystem
-
Rust Malware Staged on Crates.io
We're actively working on this with our sandbox (https://github.com/phylum-dev/birdcage). We've wrapped the likes of pip, yarn, and npm already and are making moves to similarly provide support for cargo.
Currently comes as part of the Phylum CLI (https://github.com/phylum-dev/cli), so that doing something like:
phylum npm install
-
How Attackers Can Sneakily Slip Malware Packages Into Poetry.lock Files
cli - uses sandbox to block packages during installation, performs pre-install checks to determine (by hitting the API) if the package performs actions congruent with malware, e.g. phylum pip install requests will use pip wrapped by the sandbox to install requests after verifying that it doesn't have malware like behavior.
-
Attackers Repurposing existing Python-based Malware for Distribution on NPM
This is bundled with our CLI tool today (which is also open source) and allows you to install packages with phylum npm install . We currently support npm, yarn and pip and are planning on rolling out further support for other ecosystems in coming months.
-
Attackers are hiding malware in minified packages distributed to NPM
We open sourced our tooling to help with this problem specifically. We have an extension framework that wraps npm for three purposes:
-
Active Malware Campaign Targeting Popular Python Packages Underway
Our CLI tool (also open source and free) will check for typosquats, dependency confusion, malicious code, vulnerabilities, etc. in your package dependencies. Works for pypi, npm, rubygems, maven, nuget and very recently golang and rust crates.
-
Ransomware being published to PyPI in ongoing campaign
This is built into the Phylum CLI so you can do things like:
-
Dozens of malicious PyPI packages discovered targeting developers
This is one of the projects we're working on (and open sourcing)!
Currently allows you to specify allowed resources during the package installation in a way very similar to what you've outlined [1].
The sandbox itself lives here [2] and can be integrated into other projects.
1. https://github.com/phylum-dev/cli/blob/main/extensions/npm/P...
2. https://github.com/phylum-dev/birdcage
-
How To: Open Source Policy Automation via Phylum Extensions
We will start here with a slightly more in-depth, custom version of the existing NPM shim extension - a tool that enforces default project policy when installing NPM packages. This custom extension will do some additional custom validation before allowing the installation process to continue.
cli
-
'everything' blocks devs from removing their own NPM packages
Because sometimes I make idiotic mistakes and I really don't want that embarrassing stuff out there where people can see. I ran head first into an npm bug once when I tried to symlink the README file which resulted in the thing getting published without a README.
https://github.com/npm/cli/issues/6746
Embarrassing. And then they slapped me with a stupid 24 hour count down on top of it. I seriously hate this thing.
-
Ledger's NPM account has been hacked
This is the same NPM that made a change causing the `integrity` field to go silently missing from `package-lock.json` [0] when installing packages, and then also not complaining at any other time in the future.
[0] https://github.com/npm/cli/issues/4460
-
What's New in Node.js 21
Node.js v21 includes npm v10.2.0, which notably introduces a new sbom command that allows you to generate a Software Bill of Materials (SBOM) for the current project. You can read more about the changes in recent NPM releases on GitHub.
-
Gatsby instalación con problemas recurrentes al conflictuar con cersión de NPM (aparentemente)
npm ERR! This is an error with npm itself. Please report this error at: npm ERR! https://github.com/npm/cli/issues
- Unable to connect to the NPM Registry
-
Quick full-stack app deployment using AWS and Ember.js
You'll need an AWS account and AWS credentials configured locally. We'll use pnpm but you could also use npm or yarn. The finished app is available on github.
-
Building and Launching a Serverless GraphQL React Application with AWS Amplify: A Step-by-Step Guide
~/Documents/amplify-hackathon/amplify-react-graphql-demo main !5 ?3 npm install -g @aws-amplify/cli 1 ✘ 4s 22:11:35 changed 26 packages in 25s 7 packages are looking for funding run `npm fund` for details npm notice npm notice New minor version of npm available! 9.4.0 -> 9.6.5 npm notice Changelog: https://github.com/npm/cli/releases/tag/v9.6.5 npm notice Run npm install -g [email protected] to update! npm notice
-
Multi stage docker build failing due to some error in bcrypt, how to fix it?
10 18.95 npm notice Changelog: https://github.com/npm/cli/releases/tag/v9.6.4
-
Question about CS2s demo viewer and movie features/capabilities
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated npm WARN deprecated [email protected]: This SVGO version is no longer supported. Upgrade to v2.x.x. added 1692 packages, and audited 1699 packages in 23s 211 packages are looking for funding run `npm fund` for details 27 vulnerabilities (1 low, 7 moderate, 18 high, 1 critical) To address issues that do not require attention, run: npm audit fix To address all issues (including breaking changes), run: npm audit fix --force Run `npm audit` for details. npm notice npm notice New minor version of npm available! 9.5.1 -> 9.6.2 npm notice Changelog: https://github.com/npm/cli/releases/tag/v9.6.2 npm notice Run npm install -g [email protected] to update! npm notice
- Everything about package.json
What are some alternatives?
secimport - eBPF Python runtime sandbox with seccomp (Blocks RCE).
gluetun - VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
steal-ur-stuff - Steal Ur Stuff
octo.nvim - Edit and review GitHub issues and pull requests from the comfort of your favorite editor
rebuilderd - Independent verification of binary packages - reproducible builds
nvm for Windows - A node.js version management utility for Windows. Ironically written in Go.
packj - Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
yarn.build - Build 🛠 and Bundle 📦 your local workspaces. Like Bazel, Buck, Pants and Please but for Yarn Berry. Build any language, mix javascript, typescript, golang and more in one polyglot repo. Ship your bundles to AWS Lambda, Docker, or any nodejs runtime.
notes - Notes, Questions, Ideas
vscode-dev-containers - NOTE: Most of the contents of this repository have been migrated to the new devcontainers GitHub org (https://github.com/devcontainers). See https://github.com/devcontainers/template-starter and https://github.com/devcontainers/feature-starter for information on creating your own!
pypi-scan - Scan pypi for typosquatting
enquirer - Stylish, intuitive and user-friendly prompts, for Node.js. Used by eslint, webpack, yarn, pm2, pnpm, RedwoodJS, FactorJS, salesforce, Cypress, Google Lighthouse, Generate, tencent cloudbase, lint-staged, gluegun, hygen, hardhat, AWS Amplify, GitHub Actions Toolkit, @airbnb/nimbus, and many others! Please follow Enquirer's author: https://github.com/jonschlinkert