When a Build File Turns Into a Delivery Route for npm Poisoning

A rapid package-chain incident shows how native build plumbing and install-time hooks can turn trusted developer workflows into a supply-chain risk.

The Archive Trap That Survived the Patch

A fresh Node.js library flaw shows how a fix for one symlink problem can still be outmaneuvered when filesystem reality diverges from a path string.

npm Package Linked to a Second Stage on Hugging Face Raises the Supply-Chain Stakes

A reported malicious npm package, terminal-logger-utils, is described as a dropper that fetches a second-stage Node.js payload and targets developer secrets such as SSH keys, Telegram sessions, wallets, and environment variables.

OtterCookie Finds the Soft Spot: Developer Machines Become Live Credential Targets

A Node.js remote-access trojan is being examined as a real-time secret harvester, a reminder that one infected workstation can put source control, cloud access, and automation accounts at risk.

When a Popular Node.js Helper Turned Into a Supply-Chain Trap

A widely downloaded npm package was flagged with malicious releases, showing how one poisoned dependency can turn routine imports into a credential risk.

When an npm Worm Starts Copying Itself, the Trust Model Becomes the Target

A new wave of malicious package activity tied to the TanStack ecosystem shows how one infected release can become a propagation engine, turning normal JavaScript dependency behavior into a supply-chain risk.

Node.js Under Fire: Public Exploits for vm2 Flaws Put Servers at Risk

Node.js Sandbox Shattered: vm2 Vulnerabilities Put Millions of Apps at Risk

A wave of critical flaws in the popular vm2 library exposes Node.js servers worldwide to full remote code execution, shattering the illusion of safe sandboxing.

Sandboxed No More: How vm2’s Security Wall Crumbled in Node.js

A torrent of critical flaws in the vm2 JavaScript sandbox exposes Node.js servers to total compromise-again.

Node.js Sandboxes Breached: Critical vm2 Flaw Shatters Security Walls

A newly discovered vulnerability in the vm2 library exposes millions of servers to remote code execution by breaking the wall between sandboxed scripts and host systems.

Inside the ClickFix Conspiracy: How Node.js Malware Hijacks Windows Through Fake CAPTCHAs

A new phishing campaign leverages clever social engineering, Tor, and fileless Node.js malware to create a stealthy, modular cybercrime service targeting Windows users.

Inside the North Korean Node.js Trap: How Hackers Are Targeting Open Source Gatekeepers

A meticulous North Korean social engineering campaign is targeting top Node.js maintainers in a bid to hijack the software supply chain.

Inside the “Human Hack”: How Social Engineers Are Turning Open-Source Guardians into Malware Mules

Sophisticated attackers impersonate recruiters and colleagues to compromise Node.js maintainers and poison the software supply chain.

Node.js Under Siege: Critical Flaws Expose Millions to Remote Crashes and DoS Attacks

A sweeping Node.js update patches seven vulnerabilities, including a major TLS flaw that lets attackers crash servers remotely.

Node.js Dodges Disaster: How Swift Patching Averted a Security Nightmare

A critical look into the rapid response that kept countless systems running Node.js out of the cybercriminal crosshairs.

JavaScript’s Silent Killer: How a Single Malicious Key Can Crash Node.js Servers Running Axios

A newly uncovered flaw in the beloved Axios library lets attackers bring down servers with a single poisoned JSON property.

Ticking Timebomb: How a Simple JSON Key Can Crash Thousands of Node.js Servers

A critical Axios vulnerability lets attackers remotely bring down servers with a single malicious payload.

Node.js Sandboxes Breached: How a Single Flaw Shattered vm2’s Security Illusion

A critical vulnerability in the popular vm2 library exposes Node.js applications to dangerous sandbox escapes and arbitrary code execution.

Behind the Curtain: How a Single Node.js Library Became a Cybersecurity Flashpoint

A critical flaw in the popular vm2 library exposes Node.js applications worldwide to stealthy attacks.

Node.js Sandbox in Crisis: How a Promise Loophole Exposed Hundreds of Thousands to Silent Takeover

A critical flaw in the popular vm2 library let attackers break free from the sandbox-threatening the integrity of countless Node.js applications worldwide.