%term

Critical Node.js Vulnerabilities Expose Uninitialized Memory (CVE-2025-55131)

Jan 16, 2026 By Aayush Vishnoi In Indusface

CVE-2025-55131 is a high-severity buffer allocation race condition vulnerability in Node.js that can lead to uninitialized memory exposure when using the vm module with execution timeouts. This vulnerability is part of a coordinated Node.js security update addressing eight vulnerabilities across all active release lines.

Read Post

Indusface

Read more about Critical Node.js Vulnerabilities Expose Uninitialized Memory (CVE-2025-55131)

54 New NPM Packages Found Beaconing to C2 Server in Ethereum Smart Contract

Jan 14, 2026 By Veracode Threat Research In Veracode

Jan 13, 2026 Vibe Coding and GenAI Security: Balancing Speed with Risk Read More Natalie Tischler Jan 8, 2026 Top 10 Challenges in DevSecOps Adoption Read More Natalie Tischler Jan 6, 2026 Looking Ahead at 2026 with Gartner: How Smarter Teams and Tools Are Making Application Security a Breeze Read More Joe Ariganello.

Read Post

Veracode

Read more about 54 New NPM Packages Found Beaconing to C2 Server in Ethereum Smart Contract

Shai-Hulud: The Second Coming Hits npm Users

Nov 26, 2025 By Itamar Sher In Seal Security

Once again, the npm supply chain has been compromised, putting developers relying on these vital open source components at risk. On November 24th, a sophisticated attack that borrows techniques from the Shai-Hulud malware used in the npm hijacking this past September was discovered. This is not an isolated incident. It’s a continuation of an existing campaign that is now abusing CI/CD pipelines, and GitHub automation to spread faster and steal more secrets than before.

Read Post

Seal Security

Read more about Shai-Hulud: The Second Coming Hits npm Users

Shai-Hulud npm supply chain attack - new compromised packages detected

Nov 24, 2025 By Andrey Polkovnichenko In JFrog

(Nov 24, 2025) JFrog continues to track, provide research and document another wave of the Shai-Hulud Software Supply Chain Attack which was originally reported by the JFrog Security Research team on 16-Sep-2025. Following the initial campaign, threat actors have returned with more advanced tactics, compromising an additional 796 new malicious packages across leading public registries.

Read Post

JFrog

Read more about Shai-Hulud npm supply chain attack - new compromised packages detected

Top 10 Node.js Development Companies to Hire Skilled Developers

Nov 21, 2025 By SecuritySenses In SecuritySenses

Slow releases, sluggish web apps, and clunky user experiences can stall growth, frustrate customers, and make promising digital products lose momentum. Many businesses struggle with legacy stacks that are hard to scale, costly to maintain, and too slow to keep pace with modern feature demands. Node.js changes this equation by enabling fast, event-driven, and scalable backends that handle high traffic and real-time interactions with ease. Its vast ecosystem, reusable components, and JavaScript end-to-end approach help teams ship features faster, reduce context switching, and improve overall performance.

Read Post

SecuritySenses

Read more about Top 10 Node.js Development Companies to Hire Skilled Developers

Malicious NPM Package Found Targeting GitHub By Typosquatting on GitHub Action Packages

Nov 10, 2025 By Veracode Threat Research In Veracode

The package states it is for the GitHub Actions Toolkit, which has a legitimate npm package @actions/artifact. Therefore this malware package is a clear typosquat with the swapping of the letters “ti” for “it”. We took a look at the “harness” binary as indicated in version 4.0.13.

Read Post

Veracode

Read more about Malicious NPM Package Found Targeting GitHub By Typosquatting on GitHub Action Packages

How Cloudflare's client-side security made the npm supply chain attack a non-event

Oct 24, 2025 By Bashyam Anant In Cloudflare

In early September 2025, attackers used a phishing email to compromise one or more trusted maintainer accounts on npm. They used this to publish malicious releases of 18 widely used npm packages (for example chalk, debug, ansi-styles) that account for more than 2 billion downloads per week. Websites and applications that used these compromised packages were vulnerable to hackers stealing crypto assets (“crypto stealing” or “wallet draining”) from end users.

Read Post

Cloudflare

Read more about How Cloudflare's client-side security made the npm supply chain attack a non-event

Phishing Campaign Leveraging the NPM Ecosystem

Oct 9, 2025 By Liran Tal In Snyk

In October 2025, researchers uncovered a phishing operation that weaponizes the npm ecosystem, but this time not to infect developers at install time, but rather to host and deliver phishing scripts via the trusted unpkg.com CDN.

Read Post

Snyk

Read more about Phishing Campaign Leveraging the NPM Ecosystem

Security Lessons For All From GitHub's Hardened Package Publication For npm

Oct 2, 2025 By Dwayne McDaniel In GitGuardian

GitHub is hardening npm publishing rules but the underlying lessons can be applied by all developers: WebAuthn for writes, OIDC, and short-lived least-privilege credentials.

Read Post

GitGuardian

Read more about Security Lessons For All From GitHub's Hardened Package Publication For npm

NPM Account Compromise - Tracking the "Shai-Hulud" Worm

Sep 17, 2025 By Veracode Threat Research In Veracode

Amid growing reports from the security community, Veracode has been closely tracking the resurgence of a sophisticated threat actor behind the recent npm account compromise and the injection of malware into the widely-used ‘nx’ package. This evolved malware now exhibits worm-like capabilities, enabling it to spread rapidly and amplify its infectious impact across the ecosystem.

Read Post

Veracode

Read more about NPM Account Compromise - Tracking the "Shai-Hulud" Worm

Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Critical Node.js Vulnerabilities Expose Uninitialized Memory (CVE-2025-55131)

54 New NPM Packages Found Beaconing to C2 Server in Ethereum Smart Contract

Shai-Hulud: The Second Coming Hits npm Users

Shai-Hulud npm supply chain attack - new compromised packages detected

Top 10 Node.js Development Companies to Hire Skilled Developers

Malicious NPM Package Found Targeting GitHub By Typosquatting on GitHub Action Packages

How Cloudflare's client-side security made the npm supply chain attack a non-event

Phishing Campaign Leveraging the NPM Ecosystem

Security Lessons For All From GitHub's Hardened Package Publication For npm

NPM Account Compromise - Tracking the "Shai-Hulud" Worm

Monthly Archive

Follow Us