New Threat Research: We uncovered 4 malicious packages (3 on npm, 1 on PyPI) with 56,000+ downloads, all delivering surveillance malware capable of keylogging, screen capture, and webcam access.
Here’s what we found: https://socket.dev/blog/surveillance-malware-hidden-in-npm-and-pypi-packages #NodeJS #JavaScript #Python
Attackers have hijacked the npm 'is' package (~2.8M weekly downloads), adding a malicious JS loader. This compromise is linked to the recent npm phishing campaign. Read our update on this ongoing supply chain attack:
https://socket.dev/blog/npm-is-package-hijacked-in-expanding-supply-chain-attack #NodeJS #JavaScript
A critical vulnerability in the widely used npm form-data package could allow HTTP Parameter Pollution, potentially impacting millions of projects. The package sees 100M+ downloads weekly.
Details → https://socket.dev/blog/critical-vulnerability-in-popular-npm-form-data-package #NodeJS #JavaScript
Bun 1.2.19 introduces isolated installs for monorepos, smarter package management, and 5x faster Bun.sql. 
Congrats to @jarredsumner and all the @bunjavascript contributors: https://socket.dev/blog/bun-1-2-19-adds-isolated-installs-for-better-monorepo-support #NodeJS
Active supply chain attack on npm:
Multiple Prettier tooling packages were compromised through the phishing campaign we published about just hours ago. Watch out for more compromised accounts and malicious packages.
Follow-up: https://socket.dev/blog/npm-phishing-campaign-leads-to-prettier-tooling-packages-compromise #nodejs #npm
npm phishing alert!
Attackers are sending emails from spoofed support@npmjs.org addresses linking to a typosquatted clone site (npnjs.com) to steal credentials. This attack is designed to hijack npm accounts.
https://socket.dev/blog/npm-phishing-email-targets-developers-with-typosquatted-domain #nodejs #JavaScript
UPDATE: Socket's Threat Research Team continues tracking the spread of protestware targeting Russian language users. The latest findings show 28 npm packages with nearly 2,000 versions affected.
https://socket.dev/blog/protestware-update-28-npm-packages-affected-by-payload-targeting-russian-language-users #cybersecurity #nodejs
Is your company looking for a keen self-hoster with plenty of #Linux experience? I grew up with #RaspberryPi and have picked up many skills along the way including #React, backend JavaScript (#NodeJS) and #Docker. My current obsession is monitoring all the things with #Grafana, #PRTG and #Prometheus. I’m based in the UK but open to primarily English-speaking roles in Germany, too. Currently wrapping up my Advanced Software Development degree but eager to continue learning! Boosts appreciated :D
New research: North Korea’s Contagious Interview campaign is back, with 67 new malicious npm packages, a new malware loader (XORIndex), and 17K+ downloads.
Details, IOCs, and full package list →
https://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages #javascript #nodejs #infosec
Don't forget to update Node tomorrow! 
https://nodejs.org/en/blog/vulnerability/july-2025-security-releases
Partypeople we have to kill #nodejs before it kills us
Dear #Fediverse, I need your recommendation:
I'm building a #website that in the end consists of a #Docker #NodeJS image/container and a #Postgres container. What options are there to host those containers on the #Web? I'm looking for a cheap or even free (?!) solution. I expect less than 50 users, so big hardware or scalability is not an issue. Would a virtual server with #minikube be a viable option? I'm a Docker and #Kubernetes newb so please bear with me.
Deno 2.4 brings back bundling with esbuild, adds new tooling for dependency updates, and ships stable OpenTelemetry support. These updates to the runtime are starting to resonate with more developers:
https://socket.dev/blog/deno-2-4-brings-back-deno-bundle-improves-dependency-management @deno_land #javascript #nodejs
npm run you fools
Ω
Ω
Latest version of #FediAlgo, the customizable timeline algorithm / filtering system for your Mastodon feed, allows for the use of multiple accounts on multiple Mastodon servers. Also fixes some #GoToSocial interoperability issues.
* Link: https://michelcrypt4d4mus.github.io/fedialgo_demo_app_foryoufeed/
* Code: https://github.com/michelcrypt4d4mus/fedialgo_demo_app_foryoufeed
* Video of FediAlgo in action: https://universeodon.com/@cryptadamist/114395249311910522
* Release notes: https://github.com/michelcrypt4d4mus/fedialgo_demo_app_foryoufeed/releases
@carnage4life ironically their software quality also seems to deteriorate. Win11 on an underpowered Laptop is extremely slow!
Afaik they use a bunch of #NodeJS for OS components, which makes sense if you want to hire cheap web devs or want to make shiny software without heavy systems integration...
But if they use #AI, they could also write efficient software, as they dont rely on humans?
SOS
I need some technical help.
I’m trying to get an existing project compiling.
Running node.js on windows.
Using flutter and gradle to build.
I have the correct version of android studio installed.
When I try to compile gradle complains that it can’t find Java in a directory of an old uninstalled version of eclipse.
I can’t for the life of me figure out where that path is being set.
Mastodon v4.4.0-rc.1 veröffentlicht
• 
Mindestversionen für Redis (6.2), PostgreSQL (13), Ruby (3.2) und Node.js (20) aktualisiert.
• 
Unterstützung für Redis Namespaces entfernt.
• Wechsel von Webpack zu Vite.
https://github.com/mastodon/mastodon/releases/tag/v4.4.0-rc.1
Ahoy you federated beauties.
I have decided to go freelance! If you are looking for a skilled software developer with a heart in UX & DX - Let me know, I'm sure we can cook something up!
#React , #TypeScript , #css , #rust , #java , #NodeJS are some of the fancy tooling I can not only offer, but offer to teach as well.
For those of you who's interested, you can reach me under paul@paul.wiki.
Check out my github for open source contribution and references, or go to jacks.se for more info
