North Korean Hackers Target Node.js Maintainers in Sophisticated Supply Chain Attack A North Korean threat group, UNC1069, has been linked to a social engineering campaign targeting high-profile Node.js maintainers, following a supply chain attack on Axios in late March. The attackers published two malicious NPM packages on March 31, which were downloaded by an estimated 3 million users before being removed within three hours. The breach began when Axios lead maintainer Jason Saayman was infected with a backdoor after falling victim to a fake Microsoft Teams meeting. The attackers, posing as legitimate contacts, lured Saayman into installing a remote access trojan (RAT) under the guise of a required update. This tactic mirrors those used in previous campaigns, including DeceptiveDevelopment, Operation Dream Job, Contagious Interview, and ClickFake Interview. The same group has since expanded its efforts, targeting multiple Node.js maintainers, including Socket CEO Feross Aboukhadijeh, Wes Todd (Node Package Maintenance Working Group), Matteo Collina (Platformatic), Scott Motte (Dotenv), and Ulises Gascón (Node.js Security Working Group). These individuals oversee hundreds of NPM packages with billions of downloads, making them prime targets for supply chain compromise. The campaign, executed over several weeks, involved meticulous social engineering attackers built fake meeting infrastructure, established trust, and conducted themselves with professionalism to avoid suspicion. Socket noted that the operation was designed to appear routine, with attackers scheduling and rescheduling calls to blend in with legitimate business interactions. In February, Google warned that UNC1069 had used similar tactics against DeFi companies, cryptocurrency firms, and venture capital entities. Security researchers have urged the open-source community to remain vigilant, as the group continues to refine its methods. The Axios attack and subsequent targeting of Node.js maintainers highlight the growing threat of supply chain attacks orchestrated by state-backed actors, with potential for widespread disruption given the scale of the affected packages.

Open VSX Marketplace Vulnerability Allowed Malicious Extensions to Bypass Security Scans A critical vulnerability in the Open VSX extension marketplace’s pre-publish scanning pipeline, dubbed "Open Sesame," allowed malicious extensions to bypass security checks and be published as "PASSED." The flaw was responsibly disclosed on February 8 and patched by February 11, demonstrating both the severity of the issue and the Open VSX team’s rapid response. Open VSX, used by platforms like Cursor and Windsurf as an alternative to Microsoft’s VS Code extension registry, introduced the scanning pipeline to detect malware, embedded secrets, suspicious binaries, and name-squatting attempts. The system required extensions to pass both synchronous and asynchronous scans before activation unless a scan failed, in which case the extension would be quarantined. However, a logic flaw in the scanning service’s boolean return value created a "fail-open" scenario. The system could not distinguish between no scanners configured (a valid case) and all scanner jobs failing (an error condition). Under heavy load, scan jobs would fail silently, and the system would interpret the ambiguous return value as "nothing to scan," automatically approving the extension. Exploiting the vulnerability required no special privileges any user with a free publisher account could trigger it by flooding the publish API with malicious extensions. Each upload would exhaust shared database resources, causing scan jobs to fail without being registered. The system then treated the failure as a successful scan, publishing the extension as verified. The impact was significant: malicious extensions could appear legitimate, posing a supply chain risk to developers. The Open VSX team addressed the issue by removing the ambiguous boolean logic and ensuring explicit failure handling, preventing automatic approvals when scans fail. This incident underscores the dangers of fail-open design in security systems, where ambiguous error handling can collapse critical safeguards under stress. The fix reinforces the principle that security-sensitive workflows should default to denial, not approval, when failures occur.

The ‘node-forge’ package, a pivotal cryptography library for JavaScript, is facing a significant security vulnerability. This flaw could potentially allow bad actors to bypass signature verifications through specially-crafted data, posing severe risks to applications relying on this package. Examining the Impact of the ‘node-forge’ Vulnerability The discovered vulnerability in the ‘node-forge’ library is raising concerns within the cybersecurity community. Security experts highlight the potential for attackers to manipulate data, tricking systems into accepting altered information as legitimate. The widespread use of ‘node-forge’ in various applications underscores the broad implications of this security flaw. How the Vulnerability Affects Signature Verification At the heart of the problem is the ability to craft data that seems valid, successfully evading signature authentications. This issue allows cybercriminals to create seemingly genuine signatures, compromising data integrity and authenticity. The critical nature of this vulnerability lies in its potential to disrupt security protocols that depend on ‘node-forge’ for encryption and decryption processes. Potential Consequences for Applications Using ‘node-forge’ Applications integrating ‘node-forge’ face the possibility of data breaches through unauthorized access. The risk extends to all sectors utilizing JavaScript for their digital services, as the trustworthiness of digital signatures is paramount for secure tr

The Node.js project disclosed CVE-2025-23166, a high-severity vulnerability in its core cryptographic operations that enables remote attackers to crash Node.js processes, leading to widespread denial-of-service (DoS) outages. The flaw stems from improper error handling in `SignTraits::DeriveBits()`, allowing adversaries to exploit untrusted inputs in asynchronous cryptographic functions—critical for authentication, data protection, and secure communications. Exploitation disrupts business operations, halts mission-critical services, and risks cascading failures across internet-exposed applications.All active Node.js release lines (20.x, 22.x, 23.x, 24.x) and EOL versions are affected, with unpatched systems remaining perpetually vulnerable. The advisory warns of immediate service disruptions, threatening operational continuity for millions of users reliant on Node.js-based platforms. While patches (20.19.2, 22.15.1, 23.11.1, 24.0.2) are available, delayed updates expose organizations to remote crashes, financial losses from downtime, and reputational damage due to unreliable services. The vulnerability’s severity is amplified by its foundational role in web infrastructure, making it a prime target for malicious actors seeking large-scale disruption.