codeinabox12h ago

Introducing Nub: an all-in-one toolkit for Node.js

https://programming.dev/post/52302663

Introducing Nub: an all-in-one toolkit for Node.js - programming.dev

Lemmy

codeinabox15h ago

Blocking Install Scripts Is Not a Silver Bullet

https://programming.dev/post/52294409

Blocking Install Scripts Is Not a Silver Bullet - programming.dev

Lemmy

kalvn1d ago

Une nouvelle tentative d'ajouter des outils standards à Node.js.

🔗 https://nubjs.com/blog/introducing-nub

#NodeJS #outil #lib

Introducing Nub: an all-in-one toolkit for Node.js

A Rust CLI that augments the Node you already have — TypeScript that just runs, a faster script runner, and a fast bin runner. It augments Node.js instead of trying to replace it.

Valerka1d ago

Hace unos días publiqué una prueba que hice con OpenCode.

Lo que comenzó como un experimento terminó convirtiéndose en El Bagual del Gol. ⚽️🐎

Ya tiene partidos en vivo, fixture, posiciones, goleadores y estadísticas del Mundial.

Todavía estoy agregando funcionalidades y mejorando detalles, pero ya está lo suficientemente maduro como para compartirlo.

Si alguien quiere probarlo y dejar feedback:
https://bagualgol.duckdns.org/

#OpenCode #AI #Programming #WebDev #React #NodeJS #Futbol #WorldCup2026 #api

alwaysdata1d ago
#changelog New Node.js versions available: 24.17.0, 22.23.0 #nodejshttps://changelog.alwaysdata.com/527/detail/
Can Artuc1d ago

The item worth reading twice in Node.js's June 18 release is CVE-2026-48618: a TLS wildcard-depth check that a Unicode dot separator can bypass, defeating hostname authentication without any obvious signal. It rides alongside 12 other CVEs across 22.23.0, 24.17.0 and 26.3.1, including a HIGH-rated WebCrypto AES integer overflow. Most teams patch crashers fast and silent auth bypasses slowly. Which kind does your process prioritize?

#nodejs #security

Can Artuc1d ago

Node.js released 22.23.0, 24.17.0 and 26.3.1 on June 18, closing 13 CVEs. Two are HIGH severity: CVE-2026-48933, a WebCrypto AES integer overflow that triggers a remote process abort, and CVE-2026-48618, a TLS check where a Unicode dot separator defeats wildcard-depth validation and bypasses authentication. The releases also bundle llhttp 9.4.2, nghttp2 1.69.0 and openssl 3.5.7. How long does a Node patch take to reach your production fleet?

#nodejs #security

OTX Bot1d ago

OXLOADER: new loader evading detection to drop infostealer

A previously undocumented Windows loader designated as OXLOADER delivers the CASTLESTEALER infostealer through malicious Google Ads campaigns, achieving remarkably low detection rates. The loader employs multiple obfuscation layers including control-flow flattening, opaque predicates, and mixed Boolean-Arithmetic techniques, along with self-modifying decryption stubs and abuse of the Windows .reloc section for shellcode staging. Distribution occurs via malvertising impersonating Node.js installations, redirecting victims through intermediary domains to Storj-hosted batch scripts. The loader implements five anti-VM and language checks, including CIS-region and Russian-language exclusions, suggesting a financially motivated Russian-speaking threat actor. OXLOADER uses DonutLoader to deliver the .NET-based CASTLESTEALER payload in memory, evading traditional detection mechanisms through deliberate engineering choices.

Pulse ID: 6a34874a45b9c09ee90c0aff
Pulse Link: https://otx.alienvault.com/pulse/6a34874a45b9c09ee90c0aff
Pulse Author: AlienVault
Created: 2026-06-19 00:03:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ELF #Google #GoogleAds #InfoSec #InfoStealer #Malvertising #NET #Nodejs #OTX #OpenThreatExchange #RAT #Russia #SMS #ShellCode #Windows #XLoader #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
Hugo | DevOps | Cybersecurity2d ago

CVE-2026-6734 - Undici Socks5ProxyAgent flaw. Cross-origin request routing: credentials leak, wrong origin trusted, HTTPS downgrade possible. CVSS 7.5. No patch yet. Review usage immediately. #CVE #NodeJS #infosec

https://www.valtersit.com/cve/CVE-2026-6734/

OTX Bot2d ago

From package to postinstall payload: Inside the Mastra npm supply chain compromise

Microsoft Threat Intelligence discovered a large-scale npm supply chain attack compromising over 140 packages in the mastra and @mastra scopes. The attack originated from takeover of the ehindero npm maintainer account, which published poisoned package versions introducing easy-day-js, a malicious typosquat of the popular dayjs library. The malicious package executed a postinstall hook that deployed an obfuscated dropper script, disabled TLS certificate verification, contacted command-and-control infrastructure at 23.254.164.92 and 23.254.164.123, and downloaded a second-stage payload. This 41KB cross-platform Node.js implant installed persistence mechanisms, performed cryptocurrency wallet inventory, exfiltrated browser history and host reconnaissance data, and on Windows performed reflective .NET assembly injection for fileless in-memory code execution. Any developer workstation or CI/CD pipeline executing npm install after compromise was potentially exposed regardless of code usage.

Pulse ID: 6a338520dd8f528ed63d76f0
Pulse Link: https://otx.alienvault.com/pulse/6a338520dd8f528ed63d76f0
Pulse Author: AlienVault
Created: 2026-06-18 05:41:52

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #InfoSec #Microsoft #NET #NPM #Nodejs #OTX #OpenThreatExchange #RAT #SMS #SupplyChain #TLS #Windows #bot #cryptocurrency #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange