We are a weekly podcast and newsletter made to deliver quick and relevant JavaScript updates in just under 4 minutes. We are a weekly podcast and newsletter made to deliver quick and relevant ...

Matteo Collina has proposed a Virtual File System (VFS) for Node.js core through the node:vfs module. The proposal includes about 19,000 lines of code and addresses common workflow challenges. While ...

IT之家 5 月 6 日消息，当地时间 5 月 5 日， Node.js 团队发布了最新的 Node.js 26.0.0 版本（Current）， Node.js 26 将于 10 月进入 LTS（长期支持）阶段 。

Attackers hijacked a dormant npm maintainer account and pushed malicious node-ipc versions that steal crypto keys, AWS tokens ...

Hackers have injected credential-stealing malware into newly published versions of node-ipc, a popular inter-process communication package, in a new supply chain attack targeting npm. The node-ipc ...

Attackers performed an email takeover attack on a dormant maintainer account and published new node-ipc versions containing ...

Cybersecurity researchers are sounding the alarm about what has been described as "malicious activity" in newly published ...

AI now generates more than 50% of the world’s code, and growing. The tooling that catches what that code breaks in production was not made to keep up with that speed of delivery. NodeSource, the ...

MuddyWater targeted 9 organizations in 9 countries during Q1 2026, using DLL side-loading to steal data and evade detection.

IT之家 5 月 16 日消息，科技媒体 NeoWin 昨日（5 月 15 日）发布博文，报道称 npm 热门包 node-ipc 遭遇新的供应链攻击，多个新发布版本被植入信息窃取恶意代码。IT之家注：node-ipc 是一个 Node.js ...

研究人员在vm2 JavaScript沙箱库中发现13个严重漏洞，攻击者可借此突破容器限制并在宿主系统执行任意命令。其中CVE-2026-26956可在特定Node.js 25与WebAssembly组合环境下完全逃逸沙箱，CVE-2026-44007则通过nesting:true配置选项触发权限控制缺陷。安全研究人员建议开发者立即升级至vm2 3.11.2版本，并考虑将不可信代码迁移至Docke ...

Developer platform Socket says a malware called TrapDoor is targeting crypto and AI developers across npm, PyPI and Crates, aiming to steal crypto wallet info and browser data.