Six Proto6 flaws in protobuf.js enable RCE and DoS attacks; patched in versions 7.5.6 and 8.0.2 to protect Node.js services.

Threat actors have struck the software supply chain yet again, this time hitting the Python Package Index (PyPI) with Mini Shai-Hulud in an attempt to spread poisoned code. In the latest campaign, ...

Cloudflare VoidZero acquisition gives a competing CDN governance of Vite, the open source JavaScript build tool with 130 ...

Vercel has released Next.js 16.2, featuring performance enhancements that make development startup 400% faster and rendering ...

Founded by Evan You, VoidZero was created with the goal of building a unified, high-performance JavaScript toolchain. Rather than focusing on a single framework, the ...

Red Hat hit by npm supply‑chain attack - here's how to stay safe ...

完全跑偏的那一半：前端工作的天花板，不是切页面。 前端真正值钱的能力——异步流程设计、流式体验优化、交互状态管理、组件化工程思维——这些 AI 一个都学不会。而这些能力，恰好是 AI Agent 应用开发最核心的竞争力。

A dependency confusion campaign leveraged 33 malicious npm packages to collect reconnaissance data from developer and build environments. This report details the attack chain, observed tradecraft, and ...

Developer platform Socket says a malware called TrapDoor is targeting crypto and AI developers across npm, PyPI and Crates, aiming to steal crypto wallet info and browser data.

Abstract: One of the more interesting developments recently gaining popularity in the server-side JavaScript space is Node.js. It's a framework for developing high-performance, concurrent programs ...

If the prerequisites are met, attackers can break out of the vm2 sandbox on a Node.js instance and execute malicious code. A proof-of-concept exploit is public, but so far there are no reports of ...

As the Wasmer team explains the reasons behind the new runtime, Node.js has two difficulties: it is tied to V8 as the only JavaScript engine and cannot securely execute workloads without ...