#javascript
7 stories taggedjavascript.

npm 12 Turns Off Auto-Run Install Scripts to Blunt Supply Chain Attacks
GitHub's package manager for JavaScript now ships with a safer default, and it retires a token type that let developers skip two-factor login.

Fake Rollup Helper Packages on npm Traced to North Korean Hackers
Two look-alike JavaScript packages copied a popular developer tool line-for-line, then quietly opened a back door onto the machines of anyone who installed them.

Trusted Plugin Scripts Weaponized in Admin-Aware WordPress Supply-Chain Hit
Tampered JavaScript served from PushEngage, OptinMonster and TrustPulse fingerprinted logged-in admins before silently provisioning rogue accounts and a stealth plugin.

npm 12 Pulls the Plug on Install Scripts by Default
GitHub is finally turning off the lifecycle hook that's been quietly powering half a decade of supply chain attacks.

FROST: A Browser-Only Side Channel That Reads Your SSD to Guess What You're Doing
Graz University researchers show that JavaScript timing alone can fingerprint websites and applications by measuring contention on a victim's solid-state drive.

Six Flaws in protobuf.js Turn Serialized Schemas Into Execution Vectors
The JavaScript Protocol Buffers library — pulled 50 million times a week — ships patches for a cluster of CVEs that let attackers use schema metadata to run arbitrary code inside Node.js processes.

Schema as Weapon: Six Flaws in protobuf.js Open a Path to Remote Code Execution
Cyera researchers found that protobuf.js — pulled into apps 50 million times a week — will, under exploitable conditions, turn schema metadata into running code.