npm package security vulnerability hits JavaScript developers

Stop Storing Auth Tokens in LocalStorage! If you’re building with React or Next.js, where you store your JWTs matters more than you think.  The Risk: LocalStorage It’s easy to use, but it’s vulnerable to XSS attacks. Any malicious script can read your localStorage and steal user sessions. The Solution: HttpOnly Cookies This is the industry standard. By using httpOnly cookies: 1- Security: JavaScript cannot access the token, neutralizing XSS risks. 2- Next.js Power: You can easily read them in Server Components and Middleware for seamless auth checks. 3- Automation: The browser handles sending the token with every request no more manual header injection. #ReactJS #NextJS #WebSecurity #FullStack #CodingTips

New PHP Composer Vulnerabilities Could Grant Unrestricted Access Two high-severity vulnerabilities in PHP Composer, specifically impacting the Perforce VCS driver, have been identified. These flaws allow for arbitrary command execution, posing a significant risk to systems relying on this package manager. Here’s why this matters: → Command injection vulnerabilities are consistently among the most dangerous, allowing attackers to take full control of compromised systems. → The Perforce driver is widely used in PHP projects, increasing the attack surface and potential impact. → Successful exploitation could lead to data breaches, system compromise, and further malicious activity. Here’s what you can do today: ✓ Immediately check your systems for Composer version 2.5.8 and below. ✓ Apply the patches released by The Hacker News: https://lnkd.in/gbxn3bVR ✓ Review your Perforce configuration for any potential vulnerabilities. ✓ Update your vulnerability scanning tools to prioritize Composer checks. What steps are you taking to mitigate these risks within your organizations? #PHP #Composer #VulnerabilityManagement #ThreatIntelligence #SecOps Read more: https://lnkd.in/gbxn3bVR

Day 53🔥🚀 Today I focused on finding bugs through JavaScript files. JS files can reveal a lot if you read them carefully. What you might find API endpoints Hidden routes Hardcoded keys (sometimes) Tokens or configuration details Logic that shows how the app works Instead of just interacting with the UI, I started looking at how the application is built behind the scenes.That’s where things get interesting. I also learned about services like SendGrid and how API keys can sometimes be exposed in JS files. But finding a key is not enough, it’s important to handle such discoveries responsibly and validate them only within proper scope. JavaScript is not just code. It’s a map of the application. #Cybersecurity #BugBounty #JavaScript #WebSecurity #Recon #AppSec #Day53 #Consistency

𝗜𝘀 𝘆𝗼𝘂𝗿 𝗽𝗮𝗰𝗸𝗮𝗴𝗲-𝗹𝗼𝗰𝗸.𝗷𝘀𝗼𝗻 𝗮 𝘁𝗶𝗰𝗸𝗶𝗻𝗴 𝘁𝗶𝗺𝗲 𝗯𝗼𝗺𝗯? 💣 The first quarter of 2026 has been a "security reckoning" for the JavaScript ecosystem. If you haven't run an audit this week, you might be at risk. We’ve seen three major shifts this year: 1️⃣ 𝗧𝗵𝗲 𝗔𝘅𝗶𝗼𝘀 𝗦𝘂𝗽𝗽𝗹𝘆 𝗖𝗵𝗮𝗶𝗻 𝗔𝘁𝘁𝗮𝗰𝗸: A malicious dependency (plain-crypto-js) was slipped into Axios versions 1.14.1 and 0.30.4. With 100M+ weekly downloads, this wasn't just a bug—it was a weaponized backdoor. 2️⃣ 𝗡𝗲𝘅𝘁.𝗷𝘀 𝗥𝗲𝗾𝘂𝗲𝘀𝘁 𝗦𝗺𝘂𝗴𝗴𝗹𝗶𝗻𝗴 (𝗖𝗩𝗘-𝟮𝟬𝟮𝟲-𝟮𝟵𝟬𝟱𝟳): A medium-severity flaw allowed attackers to bypass internal route protections. If you're proxying traffic, you need to be on v16.1.7+ or v15.5.13+. 3️⃣ 𝗧𝗵𝗲 "𝗥𝗲𝗮𝗰𝘁𝟮𝗦𝗵𝗲𝗹𝗹" 𝗘𝗿𝗮: As we move toward React Server Components (RSC), the boundary between client and server is blurring. We're seeing a new class of SSR-based vulnerabilities that traditional scanners are missing. 4️⃣ 𝗩𝗲𝗿𝗰𝗲𝗹 𝗔𝗽𝗿𝗶𝗹 𝟮𝟬𝟮𝟲 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁: We’ve identified a security incident that involved unauthorized access to certain internal Vercel systems. 𝗠𝘆 𝟮𝟬𝟮𝟲 𝗖𝗵𝗲𝗰𝗸𝗹𝗶𝘀𝘁 𝗳𝗼𝗿 𝗗𝗲𝘃𝘀: ✅ 𝗣𝗶𝗻 𝘆𝗼𝘂𝗿 𝘃𝗲𝗿𝘀𝗶𝗼𝗻𝘀: Stop using ^ for critical networking libs. ✅ 𝗟𝗶𝗺𝗶𝘁 𝗜𝗺𝗮𝗴𝗲 𝗖𝗮𝗰𝗵𝗲: Update Next.js to fix the Image Optimization DoS (CVE-2026-27980). ✅ 𝗔𝘂𝗱𝗶𝘁 𝗧𝗿𝗮𝗻𝘀𝗶𝘁𝗶𝘃𝗲 𝗗𝗲𝗽𝘀: The danger isn't just the library you installed—it's the library they installed. Stay safe and keep those dependencies clean! 🛠️#Javascript #ReactJS #NextJS #WebSecurity #SoftwareEngineering #javascript #InfoSec2026

Axios, a widely used JavaScript HTTP library, was recently compromised. What made this attack effective is how subtle it was. There was no obvious malware added to the source. Instead, a seemingly normal dependency was introduced. It used a postinstall script to detect the operating system, download a payload, and then remove traces of itself. Everything about it looked routine on the surface. It is a good reminder that running npm install is not just a setup step. It is executing code. If you use JavaScript tools, check whether Axios is on your system and look for versions 1.14.1 or 0.30.4. Then look for any indicators of the RAT or unusual network behavior on your system. If anything seems off, assume compromise and rotate your keys, credentials, and tokens.

Most developers blindly run: 👉 npm install But very few stop and think… “What exactly am I installing into my system?” Recently, a popular library (axios) was compromised due to an npm account hijack. Malicious versions were published. And thousands of projects could have been affected before it was taken down. Let that sink in. --- 💡 The problem is not just one library… It’s our habit 👇 - We trust packages without verification - We update dependencies without reading changelogs - We install libraries just to save a few lines of code --- ⚠️ Hard truth: Every dependency you install = You are trusting someone else’s code in your system --- Here’s what I’ve started doing as a Full Stack Developer: ✔ Checking package versions before installing ✔ Avoiding unnecessary dependencies ✔ Reviewing lock files (not just package.json) ✔ Staying updated with ecosystem security issues --- 🚀 Lesson learned: Convenience is great… But security is your responsibility. --- Are you careful with the dependencies you install, or do you just trust npm? #JavaScript #NodeJS #ReactJS #CyberSecurity #WebDevelopment #FullStackDeveloper #OpenSource #SoftwareEngineering

🚨 Your PHP/Laravel/Codeigniter projects might be compromised right now. Two critical vulnerabilities in Composer (CVE-2026-40261 & CVE-2026-40176) allow attackers to execute arbitrary code on your machine — even if you don't use Perforce. The scary part? It happens silently during a normal composer install. The good news? The fix takes 30 seconds. I just published a deep dive into what happened, why it matters, and exactly what you need to do. 👉 https://lnkd.in/gUeAFSc3 #PHP #Security #DevOps #Composer

If you’re using Next.js… check this right now. ⚠️ Me: “Server secured, Apps redeployed, Everything is safe now.” 😌 Server: “lol… watch this.” 💀 👊 A few days ago, my VPS got hit by a crypto miner attack. So I did everything right: ✔️ Hardened the server ✔️ Locked down access ✔️ Cleaned suspicious entries For 2 days… 🧘♂️ Peace 😌 Stability 📉 Normal CPU Then suddenly, BOOM 💥 CPU = 100% 🚨 Same attack. Again. Me: “Wait… WHAT??” That’s when I stopped blaming the server… and started questioning my own app. And there it was 👇 💣 A vulnerable dependency in my Next.js app 💣 Leading to possible RCE (Remote Code Execution) No warnings. No errors. No drama. Just a silent backdoor chilling in my codebase. 🧊 Me after finding it: “So it was YOU all along…” 😐 I ran npm audit… And honestly, this tiny command saved my server. ✔️ Found the vulnerable package ✔️ Updated dependencies ✔️ Checked everything is working Now it’s been 3 days: 🟢 CPU normal 🟢 No miner 🟢 No surprises You can secure your server like, using redhat, Fort Knox… but if your dependencies are weak, it’s game over. So from now, I 👉 Don’t ignore npm audit 👉 Don’t blindly trust dependencies 👉 Don’t wait for a hack to learn this Because attackers don’t always hack… Sometimes they just… npm install 😶 Have you checked yours? #NextJS #WebSecurity #CyberSecurity #DevOps #FullStackDeveloper #JavaScript #NodeJS #SoftwareEngineering #BugFix #Developers #InfoSec #TechLessons #BuildInPublic #CodingLife

🚨 Composer security alert Two command injection vulnerabilities found (CVE-2026-40176, CVE-2026-40261) via the Perforce driver. 👉 Update to 2.9.6 / 2.2.27 👉 Avoid untrusted composer.json #PHP #Laravel #Security #Composer

Another reminder that your supply chain is only as strong as your weakest dependency. Two newly disclosed vulnerabilities in PHP’s Composer ecosystem highlight how easily attackers can turn dependency management into a code execution vector. CVE-2026-40176 (CVSS 7.8) is an improper input validation issue where a malicious composer.json can define a Perforce VCS repository and inject arbitrary commands. That means code execution in the context of whoever is running Composer. CVE-2026-40261 (CVSS 8.8) takes it a step further. Poor escaping allows attackers to inject commands through a crafted source reference using shell metacharacters. Affected versions: = 2.3, < 2.9.6 fixed in 2.9.6 = 2.0, < 2.2.27 fixed in 2.2.27 What makes this dangerous is where it lands. CI pipelines, developer workstations, and build systems are all in scope. If a malicious dependency gets pulled in, you are not just dealing with a bad package. You are potentially handing over execution. We keep seeing the same pattern across ecosystems. npm, PyPI, Composer. Speed and convenience create blind trust, and attackers are abusing that trust at install time. A few things that should already be standard practice: Pin and lock dependencies Validate sources before pulling anything into your environment Restrict or audit install time script execution Treat your build pipeline like a production asset Your attack surface is no longer just your codebase. It is every dependency you allow in. Stay paranoid. #cybersecurity #infosec #appsec #devsecops #supplychainsecurity #php #composer #vulnerabilities #cve #securityresearch