Eugene Zubarev’s Post

A widely used JavaScript library is at the center of a rapidly developing supply chain attack with potential for broad downstream impact. On March 31, 2026, attackers compromised the official Axios package on the Node Package Manager (npm) registry. Axios is one of the most widely used open-source libraries for making web requests, with over 100 million downloads per week. It is embedded in web applications, mobile apps, backend services, and automated build pipelines across virtually every industry. The attacker gained access to the Axios package maintainer’s publishing credentials and used them to release two poisoned versions of Axios (1.14.1 and 0.30.4) that included a hidden malicious dependency. When developers or automated systems install either version, the malicious code executes immediately, stealing sensitive credentials from the system (cloud access keys, database passwords, API tokens) and installing a Remote Access Trojan (RAT) that gives the attacker persistent access to the compromised machine.

JWT auth is easy to mess up. Here’s a secure, production‑ready pattern I use at Devsloop. 🔐 I’ve seen tokens stored in localStorage. I’ve seen no refresh rotation. I’ve seen expired tokens crash apps. Let’s fix that. Access + refresh tokens – why both? • Access token (short‑lived, 15 min): Limits damage if stolen. • Refresh token (longer, 7 days): Gets new access tokens without re‑login. • Store refresh token in an HTTP‑only cookie (not localStorage). Guard‑based route protection: In NestJS, a simple @UseGuards(JwtAuthGuard) protects entire controllers. Add a @Public() decorator for login/register endpoints. Common mistake – storing tokens in localStorage: LocalStorage is vulnerable to XSS. Any injected script can steal your token.  Solution: Store access token in memory (RxJS BehaviorSubject) and refresh token in an HTTP‑only cookie. DM me “JWT” and I’ll send you my NestJS auth snippet. Includes guard, strategy, and cookie extraction. #NestJS #NodeJS #WebSecurity

Axios was compromised on March 30. 100M weekly downloads. One poisoned config. Zero warnings. No CVE. No alerts. Just code that ran—and vanished. For React Native teams, the damage doesn't stop at the developer machine, it reaches every binary built during the exposure window. More details: https://loom.ly/lvOj3Eo #MobileSecurity #AppSecurity #SupplyChainSecurity #Breach

Patched package. Exposed developers (still). Bigger risk for vibe-coded apps. Axios fixed the immediate issue, but the downstream question is what attackers may have accessed through developer machines and CI/CD — and what that means for shipped mobile apps. That is the hidden danger in ai-assisted/vibe-coded development: the security-layer is thin or missing and non-developers may lack the sophistication required to identify, isolation and fix issues like this. Faster shipping can amplify supply-chain exposure without the right controls. #MobileSecurity, #AppSec, #SoftwareSupplyChain #ReactNative #CyberSecurity #AICode

The Axios issue impacts mobile apps. The NPM package could be in a 1st party app that you build or a 3rd party app that you use. Test the binary to ensure that you have not been impacted. NowSecure can help.

While building full-stack applications, one thing I’ve realized: Authentication is easy to implement, but hard to implement securely. In my recent projects, I’ve worked with: JWT-based authentication Protected routes Role-based access control Now focusing on improving: Input validation Preventing common vulnerabilities (XSS, SQL Injection) Trying to move from just “building apps” → to building secure systems 🔐 #FullStackDeveloper #WebSecurity #NodeJS #ReactJS

This is a dangerous mistake that's easier to make than you'd think: ```js // NEVER do this in a Client Component const response = await fetch('https://lnkd.in/dky5ZBwD', { headers: { Authorization: `Bearer ${process.env.STRIPE_SECRET_KEY}` } }); ``` Rules to follow: → Secret API keys → Server Components, API routes, or server actions ONLY → NEXT_PUBLIC_ prefix → safe for client side, never for secrets → Never log process.env objects entirely ```js // Safe — runs only on the server // app/api/payment/route.js export async function POST(req) { const stripe = new Stripe(process.env.STRIPE_SECRET_KEY); // Safe here ... } ``` If your secret key ever ends up in the browser, rotate it immediately. Security is not something you fix after deployment. Build it right from the start. #NextJS #Security #WebDevelopment #Frontend

🚀 Just published a new npm package: @ubay182/sveltekit-hpke-wrapper While working on a project with SvelteKit, I needed a simple way to implement HPKE (Hybrid Public Key Encryption) for secure client–server communication. So I built a small wrapper to make it easier to use HPKE inside SvelteKit apps. ✨ Features: • Simple integration with SvelteKit • Wrapper around HPKE to simplify encryption workflows • Designed for secure data exchange between client and server If you're working with SvelteKit and need a lightweight way to implement HPKE, feel free to check it out. 📦 npm: https://lnkd.in/gpXR3yqx Feedback, issues, and contributions are welcome! #SvelteKit #JavaScript #WebSecurity #Encryption #OpenSource

Why are we still trusting sandboxes to be secure by default? CVE-2026-34208. SandboxJS library. CVSS 10.0. Bypass allows escape from the JavaScript sandbox. This is a fundamental design flaw, not a simple bug. If your app's security model depends on this library, you have no security model. What's your go-to strategy for vetting and securing third-party code libraries? #InfoSec #ThreatIntelligence #PatchManagement #CloudSecurity #RiskManagement 🔗 https://lnkd.in/eKNKsAQU

Your Spring Boot app is probably doing this wrong Most Spring Boot applications are slower than they should be. Not because of CPU. Not because of threads. 👉 Because of database access. List<Owner> owners = ownerRepository.findAll(); for (Owner owner : owners) {   owner.getPets().size(); // looks harmless } 🚨 What actually happens 1 query → load owners +1 query per owner → load pets 👉 With 50 owners: 51 SQL queries for a single request ✅ Fix @EntityGraph(attributePaths = "pets") List<Owner> findAll(); 👉 1 query instead of 50+ 🔍 Bonus I built a tool that detects issues like this automatically: 👉 https://joptimize.io #JavaDev #SpringBoot #Hibernate #JavaPerformance #Backend #SoftwareEngineering