Security news aggregator

Latest coverage for Node.js

Node.js security covers vulnerabilities, dependency risks, and runtime defenses that can affect server-side applications and their data.

2 headlines in this view

Refine the feed

Search across headline titles and summaries.

Tag briefing

Background for this topic.

Node.js is an open-source, cross-platform runtime that executes JavaScript outside a web browser, using Google’s V8 engine. Its event-driven, non-blocking input/output model is widely used for web servers, APIs, command-line tools, and backend services. The runtime is not itself an application framework; security outcomes depend substantially on the code and modules running within it.

Security concerns include vulnerabilities in the Node.js runtime, insecure application logic such as injection or server-side request forgery, and risks from the large npm dependency ecosystem. Malicious or compromised packages, unsafe install scripts, transitive dependencies, and prototype-pollution flaws can expand an application’s attack surface. Practitioners should track runtime and package advisories, use lockfiles and dependency review, restrict package-install and process permissions where practical, validate untrusted input, and protect credentials and session data. During incidents, dependency inventories and build records help determine whether a vulnerable module or runtime was deployed.

Showing 2 most recent headlines Filtered view
Bank Info Security 10 months, 1 week ago

Cryptohack Roundup: SwissBorg's $41M Exploit

Also: Hackers Use Ethereum Smart Contracts to Hide Malicious npm CodeSwissBorg $41M hack, hidden malicious npm code, sanctions on Southeast Asian networks, California launderer's sentencing, Kinto's shuttering, Venus Protocol pays back victim, Nemo Protocol hack, DOJ's $5M recovery effort, Lagarde's proposed rules and the SEC-CFTC plan for market clarity.

Bank Info Security 10 months, 1 week ago

Hackers Compromise 18 NPM Packages in Supply Chain Attack

Attacker Socially Engineered Developer With Phishing EmailA hacker laced 18 popular npm packages with cryptocurrency stealing malware after socially engineering the developer into giving up his credentials to the JavaScript runtime environment. Aikido Security said the 18 software packages collectively have downloads of more than two billion each week.