Polyfill supply chain attack embeds malware in JavaScript CDN assets — What started as a polyfill JavaScript library sell-off in which maintainer Andrew Betts transferred GitHub repository rights to a third-party company ended up as a malware distribution vehicle for a Chinese malicious actor, now putting in danger as much as 4% of the web. _[snyk]

Headlines

​Rafael Gonzaga tee up upcoming UDP support in Node.js permission model _[github]

​Yagiz Nizipli continues the performance speed-up quest for gains in fs.existsSync() on Windows _[github]

​ ​Electron got tricked to solve Math issues ended up with Remote Code Execution — Electron has been well recognized for bloat and performance issues, as well as the once-in-a-while security vulnerability and this time it’s all about Cross-site Scripting due to a vulnerable Preload API surface and up to code execution _[0reg.dev]

The security vulnerability of serving images via a route as opposed to static middleware in Node.js _{[nodejs-security.com]}

In other news, a tutorial on the devto website wants to teach developers about building Node.js servers and completely fails to provide security disclaimers or follow secure coding practices. Surely, there are other issues at play but I’ll give the author the benefit of the doubt they wanted to teach the basics. Hopefully you can find the security issues here:

On npm

• ​my-ua-parser​ - by Matteo Collina is a fork of the popular ua-parser-js package that you should switch to due to recent license changes​.

• ​kysely-ctl​ - by Igal Klebanov, this npm package is a handy command-line tool for Kysely, if you’re into strongly typed query builders.

New Security Vulnerabilities

• strapi found vulnerable to Server-Side Request Forgery, 13 Jun 2024
• ws found vulnerable to Denial of Service (DoS), 17 Jun 2024
• jquery-ui-dist found vulnerable to Cross-site Scripting (XSS), 17 Jun 2024
• nodem0m is a malicious package, hopefully you didn’t typo that in the terminal 😅

Hiring

• Snyk hiring for Associate Security Researcher - Hunter team in 🇷🇴
• Snyk hiring for Staff Software Engineer DX (TypeScript & Node.js) in 🇬🇧
• SentinelOne hiring for Senior Threat Researcher in 🇮🇱
• SentinelOne hiring for Staff Software Engineer JS, React in 🇮🇳
• Datadog hiring for Library Software Engineer, Node.js in EMEA
• Datadog hiring for Software Engineer, Web Browser SDK in 🇵🇹

ICYMI - node:test now supports experimental ESM+CJS module mocking it will remain experimental at least until the folks maintaining node figure out how they want module hooks to work, June 19, 2024​

— Colin Ihrig, June 19, 2024

On the same note, Colin also added support for test plans in Node.js built-in test runner, available in Node.js 20.15.0.