npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, πŸ‘‹, I’m Ryan HefnerΒ  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you πŸ™

Β© 2026 – Pkg Stats / Ryan Hefner

@sidx1/ciavault

v1.0.0

Published

πŸ” Hide any file inside an image or any other file using steganography + AES-256 encryption

Readme

πŸ” ciavault

Hide any file inside an image or any other file using steganography + AES-256 encryption.

ciavault lets you conceal a secret file inside a carrier file (a PNG image, a PDF, a zip, a video β€” anything). The carrier looks and works completely normally. Only someone who knows a secret was hidden can extract it.


Features

  • Two hiding methods
    • lsb β€” Least Significant Bit pixel steganography (PNG only, visually undetectable)
    • eof β€” End-of-File injection (works with any file type)
  • AES-256-GCM encryption β€” optionally encrypt the payload before hiding it
  • Key derivation via scrypt β€” brute-force resistant
  • CLI + programmatic API
  • Zero native dependencies

Installation

npm install -g ciavault

Or locally in your project:

npm install ciavault

CLI Usage

Hide a file

# Auto-detect method (lsb for .png, eof for everything else)
ciavault hide -c photo.png -s secret.pdf -o output.png

# Force EOF method (works with any carrier)
ciavault hide -c video.mp4 -s secret.txt -o output.mp4 --method eof

# Hide and encrypt
ciavault hide -c photo.png -s secret.txt -o output.png --passphrase "correct horse battery staple"

Reveal a hidden file

# Auto-detect method, save to current directory
ciavault reveal -c output.png

# Decrypt and reveal
ciavault reveal -c output.png --passphrase "correct horse battery staple"

# Save to a specific directory
ciavault reveal -c output.png -o ./recovered/

Check if a file has a hidden payload

ciavault info -c output.png

Remove a hidden EOF payload (restore original)

ciavault strip -c output.mp4 -o restored.mp4

Programmatic API

const ciavault = require('ciavault');

// ── Hide ────────────────────────────────────────────────────────────────────
const outputBuf = await ciavault.hide({
  carrier:    'photo.png',           // path or Buffer
  secret:     'secret.txt',          // path or Buffer
  method:     'auto',                // 'lsb' | 'eof' | 'auto'
  passphrase: 'my secret passphrase' // optional
});
fs.writeFileSync('output.png', outputBuf);

// ── Reveal ───────────────────────────────────────────────────────────────────
const { filename, data } = await ciavault.reveal({
  carrier:    'output.png',
  passphrase: 'my secret passphrase' // required if encrypted
});
fs.writeFileSync(filename, data);

// ── Info ─────────────────────────────────────────────────────────────────────
const result = await ciavault.info({ carrier: 'output.png' });
// β†’ { hasPayload: true, encrypted: false, filename: 'secret.txt', size: 1234 }

Using Buffers directly

const carrier = fs.readFileSync('photo.png');
const secret  = fs.readFileSync('document.pdf');

const output = await ciavault.hide({
  carrier,
  secret,
  secretName: 'document.pdf', // required when passing Buffers
  method: 'lsb',
});

How It Works

LSB (Least Significant Bit)

Each pixel in a PNG image is stored as RGBA values (0–255 per channel). ciavault modifies only the least significant bit of the R, G, and B channels of each pixel to encode the payload. A change of Β±1 in a colour value is completely invisible to the human eye and undetectable by casual inspection.

Capacity: floor(width Γ— height Γ— 3 / 8) - 4 bytes

Example: a 1920Γ—1080 PNG can hold up to ~777 KB of hidden data.

EOF Injection

The payload is appended to the end of the carrier file, sandwiched between two unique sentinel markers (magic bytes + a random nonce). Most applications ignore trailing data after their format's end-of-file marker, so the carrier continues to open and work normally.

Capacity: unlimited (only disk space).


Security Notes

  • LSB steganography is not cryptographically secure by itself. Anyone who knows to look can run statistical analysis. Always use --passphrase for sensitive data.
  • EOF injection can be detected by checking if a file has trailing data after its normal EOF marker. Use encryption to make the payload opaque.
  • The passphrase is processed through scrypt (N=16384, r=8, p=1) before use, which is deliberately slow to resist brute-force attacks.
  • Authentication is provided by AES-256-GCM's built-in auth tag β€” tampering with the ciphertext is detected.

License

MIT