If reinstalling software feels repetitive, these tools have some ideas.

Researchers have uncovered a supply-chain attack that hides in Python packages, propagates like a worm, and tricks LLM-based ...

Loki is a stage-1 command and control (C2) framework written in Node.js, built to script-jack vulnerable Electron apps MITRE ATT&CK T1218.015. Developed for red team operations, Loki enables evasion ...

A new version of the Bun JavaScript runtime and toolkit is out with enhanced testing support and improved memory management. The latter is a critical issue to devs and follows complaints of memory ...

OpenClaw Node for VS Code really can read workspace files, apply instructions from a local skill file, and write results back through the VS Code API sandbox. On Windows, the path to that result is ...

A "coordinated developer-targeting campaign" is using malicious repositories disguised as legitimate Next.js projects and technical assessments to trick victims into executing them and establish ...

Sandbox escape vulnerability in vm2, used by nearly 900 NPM packages, allows attackers to bypass security protections and execute arbitrary code. A critical vulnerability has been patched in vm2, a ...

A ransomware gang exploited the critical React2Shell vulnerability (CVE-2025-55182) to gain initial access to corporate networks and deployed the file-encrypting malware less than a minute later.

YouTube's specifications are extremely complex and change frequently. The yt-dlp development team previously supported YouTube using a method that heavily relied on regular expressions. However, in ...

Microsoft is calling attention to an ongoing malvertising campaign that makes use of Node.js to deliver malicious payloads capable of information theft and data exfiltration. The activity, first ...

Since October 2024, Microsoft Defender Experts (DEX) has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to ...