JavaScript | Breaking Cybersecurity News | The Hacker News

Leaked API keys are no longer unusual, nor are the breaches that follow. So why are sensitive tokens still being so easily exposed? To find out, Intruder's research team looked at what traditional vulnerability scanners actually cover and built a new secrets detection method to address gaps in existing approaches.  Applying this at scale by scanning 5 million applications revealed over 42,000 exposed tokens across 334 secret types, exposing a major class of leaked secrets that is not being handled well by existing tooling, particularly in single-page applications (SPAs). In this article, we break down existing secrets detection methods and reveal what we found when we scanned millions of applications for secrets hidden in JavaScript bundles. Established secrets detection methods (and their limitations) Traditional secrets detection The traditional, fully automated approach to detecting application secrets is to search a set of known paths and apply regular expressions to ma...

The JavaScript (aka JScript) malware loader called GootLoader has been observed using a malformed ZIP archive that's designed to sidestep detection efforts by concatenating anywhere from 500 to 1,000 archives. "The actor creates a malformed archive as an anti-analysis technique," Expel security researcher Aaron Walton said in a report shared with The Hacker News. "That is, many unarchiving tools are not able to consistently extract it, but one critical unarchiving tool seems to work consistently and reliably: the default tool built into Windows systems." This leads to a scenario where the archive cannot be processed by tools like WinRAR or 7-Zip, and, therefore, prevents many automated workflows from analyzing the contents of the file. At the same time, it can be opened by the default Windows unarchiver, thereby ensuring that victims who fall victim to the social engineering scheme can extract and run the JavaScript malware. GootLoader is typically distrib...

Node.js has released updates to fix what it described as a critical security issue impacting "virtually every production Node.js app" that, if successfully exploited, could trigger a denial-of-service (DoS) condition. "Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error, which frameworks have come to rely on for service availability," Node.js's Matteo Collina and Joyee Cheung said in a Tuesday bulletin. "A bug that only reproduces when async_hooks are used would break this attempt, causing Node.js to exit with 7 directly without throwing a catchable error when recursions in user code exhaust the stack space. This makes applications whose recursion depth is controlled by unsanitized input vulnerable to denial-of-service attacks." At its core, the shortcoming stems from the fact that Node.js exits with code 7 (denoting an Internal Exception Handler Run-Time Failure ) instead of gracefully handling the...

Cybersecurity researchers have discovered a major web skimming campaign that has been active since January 2022, targeting several major payment networks like American Express, Diners Club, Discover, JCB Co., Ltd., Mastercard, and UnionPay. "Enterprise organizations that are clients of these payment providers are the most likely to be impacted," Silent Push said in a report published today. Digital skimming attacks refer to a category of client-side attacks in which bad actors compromise legitimate e-commerce sites and payment portals to inject malicious JavaScript code that's capable of stealthily harvesting credit card information and other personal information when unsuspecting users attempt to make a payment on checkout pages. These attacks are classified under an umbrella term called Magecart , which initially referred to a coalition of cybercriminal groups that targeted e-commerce sites using the Magento software, before diversifying to other products and platf...

Users of the " @adonisjs/bodyparser " npm package are being advised to update to the latest version following the disclosure of a critical security vulnerability that, if successfully exploited, could allow a remote attacker to write arbitrary files on the server. Tracked as CVE-2026-21440 (CVSS score: 9.2), the flaw has been described as a path traversal issue affecting the AdonisJS multipart file handling mechanism. "@adonisjs/bodyparser" is an npm package associated with AdonisJS, a Node.js framework for developing web apps and API servers with TypeScript. The library is used to process AdonisJS HTTP request body . "If a developer uses MultipartFile.move() without the second options argument or without explicitly sanitizing the filename, an attacker can supply a crafted filename value containing traversal sequences, writing to a destination path outside the intended upload directory," the project maintainers said in an advisory released last week. ...

A critical security flaw has been disclosed in LangChain Core that could be exploited by an attacker to steal sensitive secrets and even influence large language model (LLM) responses through prompt injection. LangChain Core (i.e., langchain-core ) is a core Python package that's part of the LangChain ecosystem, providing the core interfaces and model-agnostic abstractions for building applications powered by LLMs. The vulnerability, tracked as CVE-2025-68664, carries a CVSS score of 9.3 out of 10.0. Security researcher Yarden Porat has been credited with reporting the vulnerability on December 4, 2025. It has been codenamed LangGrinch . "A serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions," the project maintainers said in an advisory. "The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries." "The 'lc' key is used internally by LangChain to mark ser...

The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure. The team said the issues were found by the security community while attempting to exploit the patches released for CVE-2025-55182 (CVSS score: 10.0), a critical bug in RSC that has since been weaponized in the wild . The three vulnerabilities are listed below - CVE-2025-55184 (CVSS score: 7.5) - A pre-authentication denial of service vulnerability arising from unsafe deserialization of payloads from HTTP requests to Server Function endpoints, triggering an infinite loop that hangs the server process and may prevent future HTTP requests from being served CVE-2025-67779 (CVSS score: 7.5) - An incomplete fix for CVE-2025-55184 that has the same impact CVE-2025-55183 (CVSS score: 5.3) - An information leak vulnerability that may cause a specifically crafted HTTP request sent to a vulnerable...

Threat actors with ties to North Korea have likely become the latest to exploit the recently disclosed critical React2Shell security flaw in React Server Components (RSC) to deliver a previously undocumented remote access trojan dubbed EtherRAT . "EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org," Sysdig said in a report published Monday. The cloud security firm said the activity exhibits significant overlap with a long-running campaign codenamed Contagious Interview , which has been observed leveraging the EtherHiding technique to distribute malware since February 2025. Contagious Interview is the name given to a series of attacks in which blockchain and Web3 developers, among others, are targeted through fake job interviews, coding assignments, and video assessments, leading to the deployment of malware. These efforts typi...

Cybersecurity researchers are calling attention to a new campaign dubbed JS#SMUGGLER that has been observed leveraging compromised websites as a distribution vector for a remote access trojan named NetSupport RAT . The attack chain, analyzed by Securonix, involves three main moving parts: An obfuscated JavaScript loader injected into a website, an HTML Application (HTA) that runs encrypted PowerShell stagers using "mshta.exe," and a PowerShell payload that's designed to download and execute the main malware. "NetSupport RAT enables full attacker control over the victim host, including remote desktop access, file operations, command execution, data theft, and proxy capabilities," researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said . There is little evidence at this stage to tie the campaign to any known threat group or country. The activity has been found to target enterprise users through compromised websites, indicative of a broad-strokes ...

As 2025 draws to a close, security professionals face a sobering realization: the traditional playbook for web security has become dangerously obsolete. AI-powered attacks, evolving injection techniques, and supply chain compromises affecting hundreds of thousands of websites forced a fundamental rethink of defensive strategies. Here are the five threats that reshaped web security this year, and why the lessons learned will define digital protection for years to come. 1. Vibe Coding Natural language coding, " vibe coding " , transformed from novelty to production reality in 2025, with nearly 25% of Y Combinator startups using AI to build core codebases. One developer launched a multiplayer flight simulator in under three hours, eventually scaling it to 89,000 players and generating thousands in monthly revenue. The Result Code that functions perfectly yet contains exploitable flaws, bypassing traditional security tools. AI generates what you ask for, not what you forget...

A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0. The vulnerability has been codenamed React2shell . It allows "unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints," the React Team said in an alert issued today. "Even if your app does not implement any React Server Function endpoints, it may still be vulnerable if your app supports React Server Components." According to cloud security firm Wiz , the issue is a case of logical deserialization that stems from processing RSC payloads in an unsafe manner. As a result, an unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves execution of arbitrary JavaScript code on the server. ...

The North Korean threat actors behind the Contagious Interview campaign have continued to flood the npm registry with 197 more malicious packages since last month . According to Socket , these packages have been downloaded over 31,000 times, and are designed to deliver a variant of OtterCookie that brings together the features of BeaverTail and prior versions of OtterCookie. Some of the identified "loader" packages are listed below - bcryptjs-node cross-sessions json-oauth node-tailwind react-adparser session-keeper tailwind-magic tailwindcss-forms webpack-loadcss The malware, once launched, attempts to evade sandboxes and virtual machines, profiles the machine, and then establishes a command-and-control (C2) channel to provide the attackers with a remote shell, along with capabilities to steal clipboard contents, log keystrokes, capture screenshots, and gather browser credentials, documents, cryptocurrency wallet data, and seed phrases. It's worth notin...

The threat actors behind a malware family known as RomCom targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. "This is the first time that a RomCom payload has been observed being distributed by SocGholish," Arctic Wolf Labs researcher Jacob Faires said in a Tuesday report. The activity has been attributed with medium-to-high confidence to Unit 29155 of Russia's Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as GRU. According to the cybersecurity company, the targeted entity had worked for a city with close ties to Ukraine in the past. SocGholish (aka FakeUpdates), linked to a financially motivated operator tracked as TA569 (aka Gold Prelude, Mustard Tempest, Purple Vallhund, and UNC1543), serves as an initial access broker, allowing other threat actors to drop a wide range of payloads. Some of its known customers are Evil Corp, LockBit, Dridex, and ...

Cybersecurity researchers have discovered a set of seven npm packages published by a single threat actor that leverages a cloaking service called Adspect to differentiate between real victims and security researchers to ultimately redirect them to sketchy crypto-themed sites. The malicious npm packages, published by a threat actor named " dino_reborn " between September and November 2025, are listed below. The npm account no longer exists on npm as of writing. signals-embed (342 downloads) dsidospsodlks (184 downloads) applicationooks21 (340 downloads) application-phskck (199 downloads) integrator-filescrypt2025 (199 downloads) integrator-2829 (276 downloads) integrator-2830 (290 downloads) "Upon visiting a fake website constructed by one of the packages, the threat actor determines if the visitor is a victim or a security researcher," Socket security researcher Olivia Brown said. "If the visitor is a victim, they see a fake CAPTCHA, eventually b...

Google on Monday released security updates for its Chrome browser to address two security flaws, including one that has come under active exploitation in the wild. The vulnerability in question is CVE-2025-13223 (CVSS score: 8.8), a type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could be exploited to achieve arbitrary code execution or program crashes. "Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," according to a description of the flaw in the NIST National Vulnerability Database (NVD). Clément Lecigne of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on November 12, 2025. Google has not shared any details on who is behind the attacks, who may have been targeted, or the scale of such efforts. However, the tech giant acknowledged that an "exploit for CVE-2025-13223 exists in the...

Cybersecurity researchers are calling attention to a large-scale spam campaign that has flooded the npm registry with thousands of fake packages since early 2024 as part of a likely financially motivated effort. "The packages were systematically published over an extended period, flooding the npm registry with junk packages that survived in the ecosystem for almost two years," Endor Labs researchers Cris Staicu and Kiran Raj said in a Tuesday report. The coordinated campaign has so far published as many as 67,579 packages , according to SourceCodeRED security researcher Paul McCarty, who first flagged the activity. The end goal is quite unusual – It's designed to inundate the npm registry with random packages rather than focusing on data theft or other malicious behaviors. The worm-life propagation mechanism and the use of a distinctive naming scheme that relies on Indonesian names and food terms for the newly created packages have lent it the moniker IndonesianFood...

Think your WAF has you covered? Think again. This holiday season, unmonitored JavaScript is a critical oversight allowing attackers to steal payment data while your WAF and intrusion detection systems see nothing. With the 2025 shopping season weeks away, visibility gaps must close now. Get the complete Holiday Season Security Playbook here . Bottom Line Up Front The 2024 holiday season saw major attacks on website code: the Polyfill.io breach hit 500,000+ websites, and September's Cisco Magecart attack targeted holiday shoppers. These attacks exploited third-party code and online store weaknesses during peak shopping, when attacks jumped 690% . For 2025: What security steps and monitoring should online retailers take now to prevent similar attacks while still using the third-party tools they need? As holiday shopping traffic increases, companies strengthen their servers and networks, but a critical weak spot remains unwatched: the browser environment where malicious code r...

Cybersecurity researchers have flagged a new set of 175 malicious packages on the npm registry that have been used to facilitate credential harvesting attacks as part of an unusual campaign. The packages have been collectively downloaded 26,000 times, acting as an infrastructure for a widespread phishing campaign codenamed Beamglea targeting more than 135 industrial, technology, and energy companies across the world, according to Socket. "While the packages' randomized names make accidental developer installation unlikely, the download counts likely include security researchers, automated scanners, and CDN infrastructure analyzing the packages after disclosure," security researcher Kush Pandya said . The packages have been found to use npm's public registry and unpkg.com's CDN to host redirect scripts that route victims to credential harvesting pages. Some aspects of the campaign were first flagged by Safety's Paul McCarty late last month. Specificall...

Cybersecurity researchers are calling attention to a nefarious campaign targeting WordPress sites to make malicious JavaScript injections that are designed to redirect users to sketchy sites. "Site visitors get injected content that was drive-by malware like fake Cloudflare verification," Sucuri researcher Puja Srivastava said in an analysis published last week. The website security company said it began an investigation after one of its customer's WordPress sites served suspicious third-party JavaScript to site visitors, ultimately finding that the attackers introduced malicious modifications to a theme-related file ("functions.php"). The code inserted into "functions.php" incorporates references to Google Ads, likely in an attempt to evade detection. But, in reality, it functions as a remote loader by sending an HTTP POST request to the domain "brazilc[.]com," which, in turn, responds with a dynamic payload that includes two component...