🦄 Node.js Security

Shai-Hulud, Nx and even MCP malware in Supply Chain Attacks on the Node.js Ecosystem

npm Security Best Practices

  • npm Security Best Practices - A GitHub repository with up-to-date modern 2025 curated list of best practices for securing npm packages and projects, covering topics like secure package management against postinstall scripts, package health signals, and security hardening for local development workflows.

Supply Chain Attacks and Node.js Ecosystem Security

  • Embedded Malicious Code in tinycolor and ngx-bootstrap releases on npm - The “Shai-Hulud” attack compromised npm packages like ngx-bootstrap and tinycolor, embedding malware to exfiltrate cloud credentials and secrets. Node.js developers should treat affected systems as compromised, remove malicious packages, rotate secrets, and audit for anomalies. Snyk provides tools for detection and remediation, emphasizing the critical need for supply chain security.

  • Weaponizing AI Coding Agents for Malware in the Nx Malicious Package Security Incident - This article details a security incident involving malicious Nx package releases on npm, exploiting AI coding agents for data exfiltration. The attack leveraged a compromised npm token and flawed CI workflow, highlighting the need for provenance checks and secure CI configurations. Developers are advised to rotate credentials, audit environments, and enforce security measures like 2FA and disabling install scripts to mitigate such supply chain attacks.

  • npm Supply Chain Attack via Open Source maintainer compromise - This article details a phishing attack on a prominent npm maintainer, leading to the injection of malicious code into popular packages. The attack targeted crypto transactions by redirecting them to an attacker-controlled address. Developers are advised to check for compromised dependencies and use tools like Snyk for monitoring. The incident underscores the importance of securing maintainer accounts with 2FA to prevent similar supply chain attacks.

MCP Malware

  • Malicious MCP Server on npm postmark-mcp Harvests Emails - The npm package postmark-mcp was found to exfiltrate email contents by adding a BCC to an external domain, affecting versions from 1.0.16. Node.js developers using this package should uninstall it, rotate credentials, and review email logs. The incident highlights the risks of supply chain attacks in the Node.js ecosystem, emphasizing the need for vigilant package management and the use of tools like Snyk’s MCP-Scan for detecting malicious behavior.

Node.js Ecosystem Updates

  • Bun v1.2.15 - This release enhances Node.js compatibility with support for vm.SourceTextModule and perf_hooks.createHistogram, introduces bun audit for dependency security checks, and fixes several bugs including a memory leak in DNS resolution. These updates improve security and performance, making Bun a more robust alternative for Node.js developers.

  • How Express.js Rebuilt Its Vulnerability Reporting Process - Express.js has overhauled its vulnerability reporting process with a formalized workflow, unified security policy, and GitHub Security Advisories, enhancing transparency and responsiveness. Now under the OpenJS Foundation CNA, Express can assign CVE IDs, improving coordination and disclosure practices. A bug bounty program is also in development to further strengthen security.

Node.js Security Newsletter

Subscribe to get everything in and around the Node.js security ecosystem, direct to your inbox.

    JavaScript & web security insights, latest security vulnerabilities, hands-on secure code insights, npm ecosystem incidents, Node.js runtime feature updates, Bun and Deno runtime updates, secure coding best practices, malware, malicious packages, and more.

    Built with ConvertKit