The Hacker News

Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systems

Cline CLI 2.3.0 was published with a stolen npm token, installing OpenClaw in an 8-hour attack affecting ~4,000 downloads.

Fake job recruiters hide malware in developer coding challenges

A new variation of the fake recruiter campaign from North Korean threat actors is targeting JavaScript and Python developers ...
The Hacker News

Critical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution

A critical sandbox escape vulnerability has been disclosed in the popular vm2 Node.js library that, if successfully exploited, could allow attackers to run arbitrary code on the underlying operating ...
SecurityWeek

‘PackageGate’ Flaws Open JavaScript Ecosystem to Supply Chain Attacks

Half a dozen vulnerabilities in the JavaScript ecosystem’s leading package managers — including NPM, PNPM, VLT, and Bun — could be exploited to bypass supply chain attack protections, according to ...
GitHub

GitHub - nodejs/amaro: Node.js TypeScript wrapper

Amaro is a wrapper around @swc/wasm-typescript, a WebAssembly port of the SWC TypeScript parser. It's used as an internal in Node.js for Type Stripping but can also be used as a standalone package.