Security news aggregator

Latest coverage for Node.js

Node.js security covers vulnerabilities, dependency risks, and runtime defenses that can affect server-side applications and their data.

8 headlines in this view

Refine the feed

Search across headline titles and summaries.

Tag briefing

Background for this topic.

Node.js is an open-source, cross-platform runtime that executes JavaScript outside a web browser, using Google’s V8 engine. Its event-driven, non-blocking input/output model is widely used for web servers, APIs, command-line tools, and backend services. The runtime is not itself an application framework; security outcomes depend substantially on the code and modules running within it.

Security concerns include vulnerabilities in the Node.js runtime, insecure application logic such as injection or server-side request forgery, and risks from the large npm dependency ecosystem. Malicious or compromised packages, unsafe install scripts, transitive dependencies, and prototype-pollution flaws can expand an application’s attack surface. Practitioners should track runtime and package advisories, use lockfiles and dependency review, restrict package-install and process permissions where practical, validate untrusted input, and protect credentials and session data. During incidents, dependency inventories and build records help determine whether a vulnerable module or runtime was deployed.

Showing 8 most recent headlines Filtered view

Threat actors compromised AsyncAPI packages and weaponized trusted CI/CD workflows to distribute malware through npm. This analysis breaks down the attack chain, payload delivery, and recommended defenses. The post Unpacking the AsyncAPI npm supply chain compromise and import-time payload delivery appeared first on Microsoft Security Blog.

AsyncAPI npm packages with 2M weekly downloads were compromised, spreading malware with info-stealing, crypto-theft and RAT capabilities. OX Security researchers disclosed on July 14 that the AsyncAPI npm organization was compromised, with malicious code injected into four packages that together account for over 2 million weekly downloads. The affected versions are @asyncapi/generator 3.3.1, @asyncapi/generator-components 0.7.1, […]

Bank Info Security 4 days, 18 hours ago

Jscrambler npm Breach Exposes Developers to Malware

Malware Harvested Cloud Credentials, Source Code and Deployment TokensAttackers used a compromised npm publishing credential to release five malicious versions of Jscrambler's Code Integrity package, deploying a Rust-based infostealer that harvested developer, cloud and AI tool credentials while evolving its delivery methods to evade detection.