Best of Node.jsApril 2026

  1. 1
    Article
    Avatar of bleepingcomputerBleepingComputer·4w

    New npm supply-chain attack self-spreads to steal auth tokens

    A new self-propagating supply chain attack has been discovered in the npm ecosystem, targeting packages from Namastex Labs. The malware, found in 16 compromised packages, steals developer credentials including npm publish tokens, API keys, SSH keys, cloud service credentials, CI/CD secrets, and cryptocurrency wallet data from browsers. Once it finds npm publish tokens on a compromised system, it injects itself into every package that token can publish and republishes them with an incremented version number, enabling recursive worm-like spread. It also targets PyPI if Python credentials are found, making it a multi-ecosystem threat. Developers using the listed package versions should remove them immediately, rotate all secrets, and audit CI/CD pipelines for indicators of compromise.

  2. 2
    Article
    Avatar of nodejsNode.js·5w

    Node.js — Node.js 24.15.0 (LTS)

    Node.js 24.15.0 'Krypton' LTS has been released with several notable changes: a new --max-heap-size CLI option, require(esm) and module compile cache marked as stable, raw key format support added to KeyObject crypto APIs, a throwIfNoEntry option for fs.stat, HTTP/1 fallback configuration for HTTP/2, setTOS/getTOS added to Socket, SQLite marked as release candidate with a new limits property, C++ support for diagnostics channels, and improvements to the test runner including worker ID exposure and SIGINT handling. The release also includes numerous bug fixes across streams, crypto, HTTP, ESM, and buffer modules, plus dependency updates including npm 11.12.1, SQLite 3.52.0, and updated root certificates.

  3. 3
    Article
    Avatar of nodelandAdventures in Nodeland·5w

    The Economics of Judgment

    Matteo Collina, maintainer of Node.js, Fastify, and other major projects, analyzes an academic paper on the economics of AI and connects its findings to his hands-on experience. The paper introduces three key concepts: the Red Queen Effect (AI model value is relative, forcing constant reinvestment), the Structural Jevons Paradox (cheaper AI inference leads to more complex and widespread usage, not less), and the Wrapper Trap (thin application layers on top of foundation models lose value as models improve). Collina argues that human judgment — the ability to evaluate correctness, understand real business needs, and apply domain expertise — is the scarce resource that grows more valuable as AI handles more implementation work. He also flags the data flywheel dynamic as a risk for open source ecosystems. The core takeaway: implementation is becoming commoditized, but judgment is becoming the economic bottleneck the entire expanding software market depends on.

  4. 4
    Article
    Avatar of socketdevSocket·7w

    Node.js Drops Bug Bounty Rewards After Funding Dries Up

    Node.js has paused its bug bounty program after the Internet Bug Bounty (IBB) initiative, which funded it since 2016, was discontinued. The IBB, backed by companies like Microsoft and Facebook, stopped accepting new submissions on March 27 due to funding issues and a surge in AI-assisted vulnerability research that overwhelmed remediation capacity. Security reporting through HackerOne continues, but researchers will no longer receive financial rewards. The move mirrors cURL's recent decision to drop its bounty program after being flooded with low-quality AI-generated reports. The shift raises broader concerns about how critical open source infrastructure funds security work, as Node.js now relies on voluntary, goodwill-driven disclosure at a time when supply chain attacks and automated vulnerability discovery are increasing.

  5. 5
    Article
    Avatar of dotnet.NET Blog·4w

    Writing Node.js addons with .NET Native AOT

    The C# Dev Kit team replaced C++ Node.js addons (built with node-gyp and requiring Python) with C# using .NET Native AOT. The post walks through building a Node.js native addon in C# using N-API, covering the project setup, module entry point with [UnmanagedCallersOnly], P/Invoke via [LibraryImport] with a custom DLL resolver pointing to the host process, UTF-8 string marshalling using Span<T> and ArrayPool, and exposing functions to TypeScript. The result eliminated the Python dependency, simplified CI pipelines, and matched C++ performance while opening the door to hosting .NET logic in-process within Node.js.

  6. 6
    Article
    Avatar of nodejsNode.js·7w

    Node.js — Node.js 25.9.0 (Current)

    Node.js 25.9.0 (Current) has been released with several notable changes. The test runner's module mocking API has been consolidated: `MockModuleOptions.defaultExport` and `MockModuleOptions.namedExports` are merged into a single `MockModuleOptions.exports` option, with an automated codemod migration available. Other semver-minor additions include `using` scopes for `AsyncLocalStorage`, a new `--max-heap-size` CLI flag, TurboSHAKE and KangarooTwelve Web Cryptography algorithms, customizable REPL error handling, removal of the `node:domain` dependency from REPL, ESM code cache support in Single Executable Applications (SEA), and a new `stream/iter` implementation. Additional fixes cover zlib use-after-free, ESM path normalization, Buffer performance improvements, and various dependency updates including npm 11.12.1 and SQLite 3.51.3.

  7. 7
    Article
    Avatar of jswklyJavaScript Weekly·3w

    JavaScript Weekly Issue 783: April 28, 2026

    JavaScript Weekly issue 783 curates the latest in the JS ecosystem. Highlights include a comprehensive overview of ES2025 and ES2026 features (iterator helpers, Promise.try, Map.getOrInsert, Temporal), a new JS package manager called Aube focused on performance, Nano Stores 1.3 (a 286-byte framework-agnostic state manager), tips on debugging WASM in Chrome DevTools, writing Node.js addons with .NET Native AOT, and a guide on the simplest C-to-WebAssembly-to-JS pipeline. Also covered: Cloudflare agent-readiness tools, Cypress TypeScript 6.0 upgrade, and miscellaneous ecosystem news.

  8. 8
    Article
    Avatar of infoworldInfoWorld·3w

    The best JavaScript certifications for getting hired

    JavaScript remains the most in-demand programming language for over a decade, and certifications can help candidates stand out in hiring pipelines — especially for early-career developers or career switchers. Experts note that certs are not a primary hiring signal but can serve as a credibility anchor or tie-breaker in high-volume or compliance-driven roles. A curated list of notable JavaScript certifications is provided, including CIW JavaScript Specialist, FreeCodeCamp's JS Algorithms and Data Structures, W3Schools JavaScript Developer Certificate, JS Institute's JSA and JSE certifications, Mimo JavaScript Certification, the now-retired OpenJS JSNAD, and Certificates.dev's Senior JavaScript Developer cert. Strong portfolios with real projects still outweigh certifications in most hiring decisions.

  9. 9
    Article
    Avatar of socketdevSocket·7w

    Attackers Are Hunting High-Impact Node.js Maintainers in a C...

    A coordinated social engineering campaign linked to DPRK-nexus threat actors (UNC1069) has been targeting high-impact Node.js and npm maintainers, including the creators of Lodash, Fastify, Pino, and Undici, as well as Socket engineers. Attackers impersonate legitimate companies, build rapport over weeks, then lure targets into fake video calls where they are prompted to install malware or run terminal commands. The malware installs a remote access trojan that exfiltrates npm tokens, browser cookies, AWS credentials, and more — bypassing 2FA entirely. Multiple maintainers confirmed they were targeted using the same 'Openfort' persona used in the confirmed Axios compromise. Security researchers connect this to documented DPRK tooling including WAVESHAPER, HYPERCALL, and CHROMEPUSH. The strategic shift from targeting crypto founders to open source maintainers gives attackers write access to packages downloaded trillions of times annually, enabling supply chain attacks at massive scale.

  10. 10
    Article
    Avatar of collectionsCollections·4w

    Bun v1.3.13: test isolation, 8x less memory for source maps, and faster gzip

    Bun v1.3.13 ships with notable performance gains and new test runner capabilities. Four new flags — --isolate, --parallel, --shard, and --changed — give developers finer control over test execution. Memory usage drops dramatically: bun install uses ~17x less memory by streaming tarballs to disk, and source maps consume 8x less memory. gzip compression is up to 5.5x faster via zlib-ng. New features include Range request support in Bun.serve(), SHA3 hash algorithms, and WebSocket unix socket schemes. The JavaScriptCore engine received 1,316 upstream commits, and 82 reported issues were closed including Node.js compatibility fixes and memory leak patches.

See all Node.js archives