Critical flaw in Protobuf library enables JavaScript code execution

Proof-of-concept exploit code has been published for a critical remote code execution flaw in protobuf.js, a widely used ...
thetechedvocate.org

North Korean Hackers Target Axios NPM Package: A Wake-Up Call for JavaScript Developers

In a significant security incident that has sent shockwaves through the developer community, a North Korean state-sponsored hacking group has successfully compromised the popular Axios NPM package.
CSOonline

Devs looking for OpenClaw get served a GhostClaw RAT

A malicious npm package posing as an OpenClaw Installer has been caught deploying a remote access trojan (RAT) on victim machines, according to new JFrog research ...
Bleeping Computer

Pastebin comments push ClickFix JavaScript attack to hijack crypto swaps

Threat actors are abusing Pastebin comments to distribute a new ClickFix-style attack that tricks cryptocurrency users into executing malicious JavaScript in their browser, allowing attackers to ...
InfoWorld

Beyond NPM: What you need to know about JSR

NPM, the Node Package Manager, hosts millions of packages and serves billions of downloads annually. It has served well over the years but has its shortcomings, including with TypeScript build ...
SecurityWeek

‘PackageGate’ Flaws Open JavaScript Ecosystem to Supply Chain Attacks

Half a dozen vulnerabilities in the JavaScript ecosystem’s leading package managers — including NPM, PNPM, VLT, and Bun — could be exploited to bypass supply chain attack protections, according to ...
InfoWorld

Unplugged holes in the npm and yarn package managers could let attackers bypass defenses against Shai-Hulud

A researcher at Koi Security says the two key platforms have not plugged the vulnerabilities enabling the worm attacks, and ‘the JavaScript ecosystem deserves better.’ Javascript developers should ...
HHS

Researchers Spot New Shai Hulud Variant

Security researchers at Aikido on Sunday uncovered an apparently new Shai Hulud variant, uploaded to npm through a GitHub repository called @vietmoney/react-big-calendar. Shai Hulud is the moniker for ...
Ars Technica

In 1995, a Netscape employee wrote a hack in 10 days that now runs the Internet

Thirty years ago today, Netscape Communications and Sun Microsystems issued a joint press release announcing JavaScript, an object scripting language designed for creating interactive web applications ...
bitnewsbot

Massive Shai Hulud JavaScript Attack Hits 400+ Packages, Crypto APIs

A new JavaScript supply-chain attack has compromised more than 400 software packages, including at least 10 heavily used in the cryptocurrency sector. The ongoing infection, driven by the “Shai Hulud” ...
GitHub

Dependency package @vitest/browser has a new version available

We have identified a dependency on version 3.2.4 of @vitest/browser. A new version (4.0.4) is available for upgrade. Following are the steps to upgrade package dependency. Understand the breaking ...
TechCrunch

OpenAI’s new browser is a broadside shot at Google

Today, OpenAI launched its new Atlas web browser in a surprise livestream. The show started with CEO Sam Altman, speaking directly to the audience. “We think AI represents a rare, once-a-decade ...