Security news aggregator

Latest coverage for JavaScript

Stay updated on JavaScript security concerns – from vulnerabilities to best practices, keep your web applications safe with our info security tag.

253 headlines in this view

JavaScript is a dynamic programming language commonly used to create interactive effects within web browsers. In the context of information security, JavaScript comes into play in various ways. Primarily, it can be both a tool for developers to enhance user experience and a vector for cyber attacks such as Cross-Site Scripting (XSS), where attackers inject malicious scripts into trusted websites.

JavaScript security concerns also include issues such as code injection, event handling, and document object model (DOM) manipulation, which can potentially expose user data or compromise the integrity of web applications. To mitigate these risks, security professionals must rigorously implement best practices such as input validation, output encoding, and the use of content security policies (CSP). Understanding JavaScript security is crucial for protecting web applications from vulnerabilities and ensuring safe user interactions.

Showing 20 most recent headlines of 253 Filtered view

Info Security Magazine 1 week ago

PureLogs Variant Steals Data via Purchase Order Lures

FortiGuard Labs detailed a PureLogs campaign using JavaScript, PowerShell and process hollowing

More from Info Security Magazine 27 May 2026, 8:00 p.m. Fortinet JavaScript PowerShell

The Hacker News 1 week, 2 days ago

Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks

Threat actors are exploiting a recently disclosed critical security flaw in Ghost CMS to inject malicious JavaScript code with an aim to fuel ClickFix attacks

More from The Hacker News 26 May 2026, 12:02 a.m. Incident · 5 stories CVE-2026-26980 API CVE Critical Disclosure Flaw JavaScript SQL Threat Actor Unauthenticated Vulnerability

Bleeping Computer 1 week, 3 days ago

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows. [...]

More from Bleeping Computer 25 May 2026, 2:12 a.m. Incident · 5 stories CVE-2026-26980 CVE Critical Flaw JavaScript SQL Vulnerability

The Hacker News 1 week, 4 days ago

Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware

A new "coordinated" supply chain attack campaign has impacted eight packages on Packagist including malicious code designed to run a Linux binary retrieved from a GitHub Releases URL

More from The Hacker News 24 May 2026, 4:07 a.m. Github JavaScript Linux Malicious Code Malware Supply Chain

Bleeping Computer 1 week, 6 days ago

Google accidentally exposed details of unfixed Chromium flaw

Google has accidentally leaked details about an unfixed issue in Chromium that keeps JavaScript running in the background even when the browser is closed, allowing remote code execution on the device. [...]

More from Bleeping Computer 22 May 2026, 6:13 a.m. Exposure Flaw Google JavaScript Leak Remote Code Execution

Dark Reading 2 weeks ago

Fake Android Apps Commit Carrier Billing Fraud for Premium Services

The disguised apps use WebView automation, JavaScript injection, and OTP interception to avoid detection and complete fraudulent subscriptions.

More from Dark Reading 21 May 2026, 8:35 a.m. Incident · 3 stories Android Automation Fake Fraud JavaScript

The Hacker News 2 weeks, 4 days ago

Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming

A critical security vulnerability impacting the Funnel Builder plugin for WordPress has come under active exploitation in the wild to inject malicious JavaScript code into WooCommerce checkout pages with the goal of stealing payment data

More from The Hacker News 17 May 2026, 3:20 a.m. Incident · 2 stories CVE Critical Flaw JavaScript Theft Vulnerability Wordpress

Bleeping Computer 2 weeks, 5 days ago

Funnel Builder WordPress plugin bug exploited to steal credit cards

A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript snippets into WooCommerce checkout pages. [...]

More from Bleeping Computer 16 May 2026, 7:30 a.m. Incident · 2 stories Critical JavaScript Theft Vulnerability Wordpress

Bank Info Security 3 weeks ago

Mass Supply-Chain Attack Slams npm and PyPi, Hits Mistral AI

Latest Mini Shai-Hulud Worm Steals Credentials, Includes Wiper, Now Open SourceA new Shai-Hulud variant has infected multiple npm repositories and jumped to other widely used JavaScript and Python packages. Designed to rapidly propagate, the worm steals over 100 different types of credentials and can wipe systems, including if developers try to delete it.

More from Bank Info Security 14 May 2026, 5:30 a.m. Incident · 3 stories Artificial Intelligence Credentials Infection JavaScript Node.js Open Source Python Supply Chain Widely Used Worm

The Hacker News 3 weeks, 1 day ago

Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages

TeamPCP, the threat actor behind the recentsupply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign

More from The Hacker News 12 May 2026, 11:46 p.m. Artificial Intelligence Compromise JavaScript Node.js Supply Chain Threat Actor Worm

The Hacker News 3 weeks, 6 days ago

vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution

A dozen critical security vulnerabilities have been disclosed in the vm2 Node.js library that could be exploited by bad actors to break out of the sandbox and execute arbitrary code on susceptible systems

More from The Hacker News 7 May 2026, 4:15 p.m. Incident · 3 stories Critical Disclosure JavaScript Library Node.js Open Source Sandbox Vulnerability

The Hacker News 1 month ago

SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack

Cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting SAP-related npm Packages with credential-stealing malware

More from The Hacker News 30 Apr 2026, 4:26 a.m. Incident · 2 stories Cloud Compromise Credentials Google JavaScript Malware Node.js Research Supply Chain Theft

The Hacker News 1 month, 1 week ago

Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape

A critical security vulnerability has been disclosed in a Python-based sandbox called Terrarium that could result in arbitrary code execution

More from The Hacker News 22 Apr 2026, 7:16 p.m. Incident · 3 stories Artificial Intelligence CVE Critical Disclosure Flaw JavaScript Python Root Sandbox Vulnerability

Bank Info Security 1 month, 1 week ago

How AI Supply-Chain Monitor Spotted Unfolding Axios Attack

Lightweight LLM-Driven Process Alerted Elastic's Security Team, Says James SpiteriElastic Security Labs quickly spotted the unfolding supply-chain attack that backdoored the popular JavaScript library Axios, thanks to a lightweight, AI-driven tool a researcher created to assess if repository changes looked malicious. Elastic's James Spiteri says further use cases abound.

More from Bank Info Security 22 Apr 2026, 8:00 a.m. Incident · 2 stories Artificial Intelligence JavaScript Library Supply Chain Tools

Info Security Magazine 1 month, 2 weeks ago

Formbook Malware Campaign Uses Multiple Obfuscation Techniques to Avoid Detection

Formbook attacks use combination of DLL Side-Loading and Obfuscated JavaScript to stay hidden, researchers at WatchGuard have uncovered

More from Info Security Magazine 21 Apr 2026, 3:01 a.m. JavaScript Malware Research

Cyber Scoop 1 month, 2 weeks ago

Why the Axios attack proves AI is mandatory for supply chain security

Two weeks ago, a suspected North Korean threat actor slipped malicious code into a package within Axios, a widely used JavaScript library. The immediate concern was the blast radius: roughly 100 million weekly downloads spanning enterprises, startups, and government systems. But beyond the sheer scale, the attack’s speed was just as worrisome – a stark […] The post Why the Axios attack proves AI is mandatory for supply chain security appeared first on CyberScoop.

More from Cyber Scoop 21 Apr 2026, 1:17 a.m. Incident · 2 stories Artificial Intelligence Government JavaScript Library Malicious Code North Korea Startup Supply Chain Threat Actor Widely Used

Bleeping Computer 1 month, 2 weeks ago

Critical flaw in Protobuf library enables JavaScript code execution

Proof-of-concept exploit code has been published for a critical remote code execution flaw in protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers. [...]

More from Bleeping Computer 19 Apr 2026, 3:09 a.m. Critical Exploit Flaw Google JavaScript Library PoC Remote Code Execution Widely Used

The Hacker News 1 month, 2 weeks ago

108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users

Cybersecurity researchers have discovered a new campaign in which a cluster of 108 Google Chrome extensions has been found to communicate with the same command-and-control (C2) infrastructure with the goal of collecting user data and enabling browser-level abuse by injecting ads and arbitrary JavaScript code into every web page visited

More from The Hacker News 14 Apr 2026, 8:35 p.m. Incident · 3 stories Abuse Chrome Command and Control Google JavaScript Research Theft

Bleeping Computer 2 months ago

LinkedIn secretly scans for 6,000+ Chrome extensions, collects data

A new report dubbed "BrowserGate" warns that Microsoft's LinkedIn is using hidden JavaScript scripts on its website to scan visitors' browsers for installed extensions and collect device data. [...]

More from Bleeping Computer 4 Apr 2026, 9:40 a.m. Chrome JavaScript Microsoft Report Social Media Warning