#nodejs

Cybersecurity researchers have disclosed details of what has been described as a "sustained and targeted" spear-phishing campaign that has published over two dozen packages to the npm registry to facilitate credential theft. The activity, which involved uploading 27 npm packages from six different npm aliases, has primarily targeted sales and commercial personnel at critical

Trust Wallet is urging users to update its Google Chrome extension to the latest version following what it described as a "security incident" that led to the loss of approximately $7 million. The issue, the multi‑chain, non‑custodial cryptocurrency wallet service said, impacts version 2.68. The extension has about one million users, according to the Chrome Web Store listing. Users are advised to

A vulnerability exists in the libxmljs 1.0.11 when parsing a specially crafted XML document. Accessing the internal _ref property on entity_ref and entity_decl nodes causes a segmentation fault, potentially leading to a denial-of-service (DoS).

Koi Security uncovers lotusbail, a malicious npm package with 56K downloads that steals WhatsApp messages and installs a persistent backdoor. Learn how to protect your data.

A critical security flaw has been disclosed in LangChain Core that could be exploited by an attacker to steal sensitive secrets and even influence large language model (LLM) responses through prompt injection. LangChain Core (i.e., langchain-core) is a core Python package that's part of the LangChain ecosystem, providing the core interfaces and model-agnostic abstractions for building

A critical security vulnerability has been disclosed in the n8n workflow automation platform that, if successfully exploited, could result in arbitrary code execution under certain circumstances. The vulnerability, tracked as CVE-2025-68613, carries a CVSS score of 9.9 out of a maximum of 10.0. The package has about 57,000 weekly downloads, according to statistics on npm. "Under certain

Hi Fedify team! 👋 Thank you for your work on Fedify—it's a fantastic library for building federated applications. While reviewing the codebase, I discovered a Regular Expression Denial of Service (ReDoS) vulnerability that I'd like to report. I hope this helps improve the project's security. --- ## Summary A Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at `packages/fedify/src/runtime/docloader.ts:259` contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. **An attacker-controlled federated server can respond with a small (~170 bytes) malicious HTML payload that blocks the victim's Node.js event loop for 14+ seconds, causing a Denial of Service.** | Field | Value | |-------|-------| | **CWE** | CWE-1333 (Inefficient Regular Expression Complexity) | --- ## Details ### Vulnerable Code The vulnerability is located in `packages/fedify/src/runtime...

Cybersecurity researchers have disclosed details of a new malicious package on the npm repository that works as a fully functional WhatsApp API, but also contains the ability to intercept every message and link the attacker's device to a victim's WhatsApp account. The package, named "lotusbail," has been downloaded over 56,000 times since it was first uploaded to the registry by a user named "

Cybersecurity researchers have disclosed details of a new campaign that has used cracked software distribution sites as a distribution vector for a new version of a modular and stealthy loader known as CountLoader. The campaign "uses CountLoader as the initial tool in a multistage attack for access, evasion, and delivery of additional malware families," Cyderes Howler Cell Threat Intelligence

### Summary ```tinacms``` uses the ```gray-matter``` package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. ### Details The ```gray-matter``` package executes by default the code in the markdown file's front matter. ```tinacms``` does not change this behavior when process markdown file, e.g., by passing a custom engine property for js/javascript in the options object. ### PoC 1. Create a tinacms app using the cli/documentation: ``` npx create-tina-app@latest ``` 2. Modify one of the blog posts to contain the following front matter: ```js ---js { "title": "Pawned" + console.log(require("fs").readFileSync("/etc/passwd").toString()) } --- ``` 3. Start the tinacms server, e.g., with ```npm run dev``` 4. Observe the console of the server printing the password file, showing that attackers can execute arbitrary commands. ### Impact RCE: attackers can execute arbitrary JavaScript code on th...