Happy Early Christmas 🎄🎅🎁! I hope you’re enjoying the holiday season and the festive spirit. This week I have some interesting stories to share with you, from supply chain attacks to security headers and AI security. Let’s dive in!

Supply Chain Attack Detected in Solana’s web3.js Library @solana/web3.js - Solana’s Web3.js library, downloaded more than 350,000 times a week, was found to be compromised in a supply chain attack with two versions of the npm package 1.95.6 and 1.95.7 published to the npm registry and included malicious code to drain user’s cryptocurrency wallets by stealing their private keys.

Usernames longer than 52 characters slide through login at Okta! - If you think managing passwords is a solved problem then just look at Okta, the auth and identity management giant, with the story of broken access control.

Headlines

Security headers, set and forget with Nosecone - A new open source project from Arcjet is nosecone, a modern package replacement to helmt that works with Node.js, Bun, Deno and other metaframeworks and provides you with sane security defaults out of the box. Here’s the Node.js usage example:

Oh by the way, I wrote a book about Learning HTTP Security Headers if you want to dive deeper into web security and hands-on practical skills concerning CORS, CSP, HSTS, Cookie Security and more.

OpenSSF npm security best practices guide - A helpful set of practices to follow and to which I contributed as part of OpenSSF’s Best Practices for Open Source Developers working group.

​ Exploiting Number Parsers in JavaScript - Borna Nematzadeh shares his research on security tests and exploitation and prevention scenarios when working with numbers in JavaScript.

Manuel Spigolon lessons on how to avoid events data loss due to Node.js services downtime - Manuel focuses explicitly on data replication based on a PostgreSQL database and the special-purposepg_replication_slots view.

On AI Security… My latest experience with GitHub Copilot - when your GenAI tool gaslights you into thinking this is secure coding convention 😅

📦 On npm

deno - Yes, that’s the official Deno runtime package on npm, that you can now install as easy as npm install -g deno and start running Deno scripts and applications. This is possible after it took Ryan Dahl 5.5 years to get this package name ;-)

❗ New Security Vulnerabilities

• discord-json-scaller found to be a malicious package, 12 Dec 2024
• angular-expressions found vulnerable to CVE-2024-54152 prototype pollution, 10 Dec 2024
• nanoid found vulnerable to CVE-2024-55565 improper input validation, 9 Dec 2024

💼 Hiring

• ClickUp opening for Senior Backend Engineer, Data Platform in Poland 🇵🇱
• Infisical is hiring for FullStack Engineer, Node.js & TS in Remote 🌎
• Entro Security is hiring for Backend Engineer – NodeJS in Tel Aviv 🇮🇱
• Snyk is hiring for multiple seniority level roles in Software Engineer in Tel Aviv, London, Boston, and Remote 🌍 - reply to this email and ask me about the open positions 👋

🚀 Bun Security

Ready to expand your backend skills beyond Node.js?

My new course, Bun Security Essentials, now launched in early pre-sale access! Learn how to secure your Bun backend applications with hands-on exercises and practical examples.