🚀 New Article Published I recently worked on stabilizing a legacy Angular application that hadn’t been updated in years. What started as a simple security fix turned into a full debugging journey: • 47 npm vulnerabilities • Angular Material errors • Infinite recursion crashes • Broken imports • TypeScript configuration issues Instead of rewriting the app, I focused on understanding the problems and fixing them step-by-step. In this article I share the entire troubleshooting journey and the lessons learned while bringing the app back to life. 📖 Read the full article on Medium: https://lnkd.in/gYwcieeK

I came across a story on social media recently that stopped me mid-scroll. A developer - someone just like most of us - was working late on a side project. Needed a quick utility package. Found one on npm. Good-looking name, seemed useful, zero red flags. Ran npm install some-util-helper without a second thought. Three days later? His API keys were leaking. His environment variables exposed. That innocent-looking package was silently harvesting credentials in the background the whole time. He didn't get hacked. He installed the threat himself. 😶 This isn't rare. It's happening more than you think. The npm registry has over 2 million packages. Not all of them are safe. Some are abandoned. Some are typosquatted with names almost identical to popular libraries. Some are outright malicious quietly waiting for a tired developer on a deadline. Here's what that developer had to do to recover 👇 Step 1 — Find it: npm list <package-name> Step 2 — Remove it: npm uninstall <package-name> Step 3 — Rotate ALL secrets immediately. Every API key. Every token. Every env variable. No exceptions. Step 4 — Audit your entire project: npm audit And going forward? Three habits that take 30 seconds each: ✅ Check the download count before installing — under 100 downloads? Treat it with real caution. ✅ Use --ignore-scripts when installing from unfamiliar sources. ✅ Enable 2FA on your npm account. Today, not tomorrow. The scariest part of this story? He never got an alert. No warning. No red flag from anywhere. Just a quiet package doing quiet damage until it was too late. Modern development moves fast, but security has to move faster. Stay vigilant. Verify before you install. Every single time. Swipe through the carousel for a quick visual breakdown ↓ #CyberSecurity #NodeJS #JavaScript #SoftwareDevelopment #DevSecOps #SecureCoding #WebDevelopment #Developers

Just published a new article on how to safely allow inline scripts using CSP nonce. A practical look at balancing strict Content Security Policy with real-world frontend requirements. 💬 Thoughts? Link in the first comment. #WebSecurity #CSP #FrontendDevelopment #JavaScript #Security #DevCommunity

𝗜𝘀 𝘆𝗼𝘂𝗿 𝗽𝗮𝗰𝗸𝗮𝗴𝗲-𝗹𝗼𝗰𝗸.𝗷𝘀𝗼𝗻 𝗮 𝘁𝗶𝗰𝗸𝗶𝗻𝗴 𝘁𝗶𝗺𝗲 𝗯𝗼𝗺𝗯? 💣 The first quarter of 2026 has been a "security reckoning" for the JavaScript ecosystem. If you haven't run an audit this week, you might be at risk. We’ve seen three major shifts this year: 1️⃣ 𝗧𝗵𝗲 𝗔𝘅𝗶𝗼𝘀 𝗦𝘂𝗽𝗽𝗹𝘆 𝗖𝗵𝗮𝗶𝗻 𝗔𝘁𝘁𝗮𝗰𝗸: A malicious dependency (plain-crypto-js) was slipped into Axios versions 1.14.1 and 0.30.4. With 100M+ weekly downloads, this wasn't just a bug—it was a weaponized backdoor. 2️⃣ 𝗡𝗲𝘅𝘁.𝗷𝘀 𝗥𝗲𝗾𝘂𝗲𝘀𝘁 𝗦𝗺𝘂𝗴𝗴𝗹𝗶𝗻𝗴 (𝗖𝗩𝗘-𝟮𝟬𝟮𝟲-𝟮𝟵𝟬𝟱𝟳): A medium-severity flaw allowed attackers to bypass internal route protections. If you're proxying traffic, you need to be on v16.1.7+ or v15.5.13+. 3️⃣ 𝗧𝗵𝗲 "𝗥𝗲𝗮𝗰𝘁𝟮𝗦𝗵𝗲𝗹𝗹" 𝗘𝗿𝗮: As we move toward React Server Components (RSC), the boundary between client and server is blurring. We're seeing a new class of SSR-based vulnerabilities that traditional scanners are missing. 4️⃣ 𝗩𝗲𝗿𝗰𝗲𝗹 𝗔𝗽𝗿𝗶𝗹 𝟮𝟬𝟮𝟲 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁: We’ve identified a security incident that involved unauthorized access to certain internal Vercel systems. 𝗠𝘆 𝟮𝟬𝟮𝟲 𝗖𝗵𝗲𝗰𝗸𝗹𝗶𝘀𝘁 𝗳𝗼𝗿 𝗗𝗲𝘃𝘀: ✅ 𝗣𝗶𝗻 𝘆𝗼𝘂𝗿 𝘃𝗲𝗿𝘀𝗶𝗼𝗻𝘀: Stop using ^ for critical networking libs. ✅ 𝗟𝗶𝗺𝗶𝘁 𝗜𝗺𝗮𝗴𝗲 𝗖𝗮𝗰𝗵𝗲: Update Next.js to fix the Image Optimization DoS (CVE-2026-27980). ✅ 𝗔𝘂𝗱𝗶𝘁 𝗧𝗿𝗮𝗻𝘀𝗶𝘁𝗶𝘃𝗲 𝗗𝗲𝗽𝘀: The danger isn't just the library you installed—it's the library they installed. Stay safe and keep those dependencies clean! 🛠️#Javascript #ReactJS #NextJS #WebSecurity #SoftwareEngineering #javascript #InfoSec2026

I found a vulnerability in SandboxJS that was assigned CVE-2026-34217, and it’s now patched. While researching JavaScript sandboxing internals, I discovered a scope modification vulnerability in @nyariv/sandboxjs affecting all versions prior to 0.8.36. What I found: Untrusted sandboxed code could use the new operator to leak internal interpreter objects - exposing scope objects in the execution hierarchy to code that should never touch them. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to untrusted code, an unexpected and undesired exploit. While this could allow modifying scopes inside the sandbox, code evaluation remains sandboxed and prototypes remain protected throughout the execution. https://lnkd.in/dhRc_cWw #CVE202634217 #CyberSecurity #VulnerabilityResearch #JavaScript #CVE #ResponsibleDisclosure #OpenSource #AppSec #InfoSec

🚀 Client-Side Data Encryption (JavaScript) While server-side security is paramount, client-side encryption can add an extra layer of protection for sensitive data. Use a JavaScript library like `crypto-js` to encrypt data before sending it to the server. This can help protect data from being intercepted or compromised during transmission. Remember that client-side encryption is not a substitute for server-side security measures, but rather an additional defense mechanism. #JavaScript #WebDev #Frontend #JS #professional #career #development

Most developers think logout = deleting the token. I used to think the same… until I realized something scary JWT is stateless. Even after logout, the token is still valid until it expires. That means: If someone steals your token, they can still access your system So what does “logout” actually mean in real-world systems? Here are 2 common approaches: Token Blacklisting → Store invalid tokens (DB/Redis) and reject them on every request Short-lived tokens + Refresh tokens (industry standard) → Access token expires quickly (limits risk window) → Refresh token controls session securely While working on authentication systems, this completely changed how I think about backend security. Security is not just about login — logout matters too. What approach do you prefer: Blacklisting or Refresh Tokens? #webdevelopment #backend #nodejs #javascript #security #jwt #softwareengineering #programming #hiring

While exploring a production site built with React + Next.js, I hit a route that didn’t return HTML. Instead, it returned the raw React Server Component (RSC) payload. Things like: • component tree references • chunk mappings (/_next/static/...) • providers (MantineProvider, ThemeProvider, etc.) Basically, the server streamed internal rendering data instead of a fully hydrated page. This usually points to: • incorrect route handling (e.g. non-standard paths like .txt) • misconfigured SSR / App Router setup • wrong response headers (serving RSC as plain text instead of HTML) Not a direct exploit, but still a form of information disclosure. It exposes framework internals and signals potential deployment gaps. With frameworks like Next.js, the server–client boundary is thin. If the rendering pipeline breaks, you don’t just lose UI — you expose how your app actually works under the hood. Curious if others have encountered similar RSC leaks in production? #NextJS #ReactJS #WebSecurity #Frontend #JavaScript #SoftwareEngineering #BugHunting #BuildInPublic #WebDevelopment #npm #webdev #dev #WebSecurity #AppSec #CyberSecurity #InfoSec #DevSecOps #SecurityTesting #BugBounty #EthicalHacking #OWASP #SecurityAwareness

🚨 The most dangerous line of code in modern JavaScript might just be this: "npm install" We’ve all done it. Need a modal, date picker, chart, or some fancy UI component in React, Next.js, Node.js, or any JavaScript framework? We quickly install a package and move on. Fast. Convenient. Productive. But recently, I caught myself thinking more deeply about this habit from a security and engineering maturity perspective. What looks like “just a UI component” is often much more than that. That single install can pull in dozens or even hundreds of transitive dependencies, maintained by people we’ve never met, with code that can run not only in the browser, but sometimes on our local machines, CI pipelines, and even production servers. And this is where it gets serious. A few very common ways attacks happen in the JavaScript ecosystem are: - Supply chain attacks → a trusted package gets compromised and malicious code gets published - Post-install script execution → harmful scripts run automatically during install - Transitive dependency attacks → one package silently brings in hundreds of unknown dependencies - SSR / server-side risks → especially in Next.js, packages may access env vars and server-side secrets - XSS vulnerabilities → unsafe rendering can lead to token theft and session hijacking - Typosquatting attacks → fake packages with similar names trick developers into installing malware The scary part? Most of us install it in seconds… without even checking what it actually brings along. As engineers, speed matters. But so does ownership🙄 I’ve started asking myself one simple question before every install: Can I build this safely in 30–50 lines myself? If yes, I prefer to own it. If no, I make sure the package is actively maintained, trusted, and dependency-light. Sometimes the fastest solution today becomes the biggest risk tomorrow. In the JavaScript ecosystem, every dependency is a trust decision. And trust should never be added blindly. Curious how others approach this in production systems: Do you prefer building custom UI components or relying on external packages? #JavaScript #ReactJS #NextJS #NodeJS #WebSecurity #CyberSecurity #SoftwareEngineering #DeveloperMindset

Ever been stuck on a version mismatch that just wouldn’t make sense?   I have and it turned into a solid learning experience. A couple of days ago, I was working with Next.js. After all the recent NPM security concerns, I’d been regularly updating dependencies at work. But I hadn’t touched my home PC in a while… and the environments had clearly drifted apart. When I cloned the repo and tried to run it locally, everything went haywire. The frustrating part? The fix was simple but it took me hours to even identify the problem. At first, nothing obvious stood out. Then I noticed something odd: CSS wasn’t loading at all. I tried tweaking global.css and even adjusting postcss.config… still nothing. That’s when I remembered a colleague suggesting a clean reinstall of dependencies. I gave it a shot no luck. Digging deeper into the errors, I started suspecting cache issues… or maybe even my antivirus interfering. Turns out, it was both. Once I: • Excluded the project folder from antivirus scanning • Cleared the cache by removing the .next directory • Reinstalled dependencies A fresh build finally restored everything and just like that, it worked. Lesson reinforced: Sometimes the issue isn’t your code it’s your environment. Curious have you ever lost hours debugging something that turned out to be a simple environment issue? #WebDevelopment #NextJS #Debugging #SoftwareEngineering