🦄 Node.js Security

Malware and Node.js Container Security

Headlines

Microsoft research on weaponized Node.js malware - Threat actors misuse Node.js to deliver malware and other malicious payloads.

Overview of the malvertising campaign leveraging Node.js

Node.js Runtime Security

child_process: disallow args in execFile/spawn when shell option is true - This merged PR introduces a breaking-change to the child_process module in Node.js. With this new change, any calls to execFile or spawn with the shell option set to true will now throw an error if any arguments are passed.

Recent Node.js Supply Chain Attacks

  • 2025 May 15: os-info-checker-es6 npm package leverages unicode steganography in Google calendar as command and control, by Veracode
  • 2025 May 8: Package rand-user-agent with 45,000 downloads compromised in supply chain attack for malicious RAT, by Aikido
  • 2025 May 7: Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, by Socket

Container security

Eric Allam from Trigger.dev shared a story about a container downtime error:

We had 7 minutes of downtime this morning because our “http://entrypoint.sh” script that is our docker CMD didn’t have set -e, leading to a previously failed prisma migration to go unnoticed.

container downtime error

🔮 Cybersecurity Tip of the Week

A joint project with the Linux Foundation and OpenSSF aims to provide a framework for navigating the Cybersecurity skills landscape.

If you’re looking to upskill in cybersecurity, or just move laterally between roles, check out the Cybersecurity Skills Framework.

cybersecurity framework

Node.js Security Newsletter

Subscribe to get everything in and around the Node.js security ecosystem, direct to your inbox.

    JavaScript & web security insights, latest security vulnerabilities, hands-on secure code insights, npm ecosystem incidents, Node.js runtime feature updates, Bun and Deno runtime updates, secure coding best practices, malware, malicious packages, and more.

    Built with ConvertKit