Six Proto6 flaws in protobuf.js enable RCE and DoS attacks; patched in versions 7.5.6 and 8.0.2 to protect Node.js services.

Threat actors have struck the software supply chain yet again, this time hitting the Python Package Index (PyPI) with Mini Shai-Hulud in an attempt to spread poisoned code. In the latest campaign, ...

Cloudflare VoidZero acquisition gives a competing CDN governance of Vite, the open source JavaScript build tool with 130 ...

Vercel has released Next.js 16.2, featuring performance enhancements that make development startup 400% faster and rendering ...

Red Hat hit by npm supply‑chain attack - here's how to stay safe ...

完全跑偏的那一半：前端工作的天花板，不是切页面。 前端真正值钱的能力——异步流程设计、流式体验优化、交互状态管理、组件化工程思维——这些 AI 一个都学不会。而这些能力，恰好是 AI Agent 应用开发最核心的竞争力。

Developer platform Socket says a malware called TrapDoor is targeting crypto and AI developers across npm, PyPI and Crates, aiming to steal crypto wallet info and browser data.

Abstract: One of the more interesting developments recently gaining popularity in the server-side JavaScript space is Node.js. It's a framework for developing high-performance, concurrent programs ...

If the prerequisites are met, attackers can break out of the vm2 sandbox on a Node.js instance and execute malicious code. A proof-of-concept exploit is public, but so far there are no reports of ...

As the Wasmer team explains the reasons behind the new runtime, Node.js has two difficulties: it is tied to V8 as the only JavaScript engine and cannot securely execute workloads without ...

A critical sandbox escape vulnerability has been disclosed in the popular vm2 Node.js library that, if successfully exploited, could allow attackers to run arbitrary code on the underlying operating ...

Sandbox escape vulnerability in vm2, used by nearly 900 NPM packages, allows attackers to bypass security protections and execute arbitrary code. A critical vulnerability has been patched in vm2, a ...