All news with #node.js tag

Tsundere Botnet Expands Using Game Lures and Node.js

🛡️ Kaspersky researcher Lisandro Ubiedo details an expanding Windows-focused botnet named Tsundere that retrieves and executes arbitrary JavaScript from remote command-and-control servers. The threat, active since mid‑2025, has been distributed via fake MSI installers and PowerShell scripts that deploy Node.js, install dependencies (ws, ethers, and pm2) and establish persistence. Operators fetch WebSocket C2 addresses from an Ethereum smart contract to rotate infrastructure, while a control panel enables artifact building, bot management, proxying, and an on-platform marketplace.

Malicious npm Packages Use Invisible URL Dependencies

🔍 Researchers at Koi Security uncovered a campaign, PhantomRaven, that has contaminated 126 packages in Microsoft's npm repository by embedding invisible HTTP URL dependencies. These remote links are not fetched or analyzed by typical dependency scanners or npmjs.com, making packages appear to have 0 Dependencies while fetching malicious code at install time. The attackers aim to exfiltrate developer credentials and environment details, and they also exploit AI hallucinations to create plausible package names.

Stealit Malware Uses Node.js SEA, Electron for Delivery

⚠️ Fortinet FortiGuard Labs has detailed an active campaign dubbed Stealit that uses Node.js Single Executable Application (SEA) packaging—and in some builds, the Electron framework—to deliver credential-stealing and remote-access payloads. Operators distribute counterfeit game and VPN installers via file-hosting sites and messaging platforms, which drop three primary executables that perform browser and messenger data theft, wallet extraction, and persistence with live screen streaming. Installers run anti-analysis checks, write a Base64 authentication key to %temp%\cache.json for C2 authentication, and configure Microsoft Defender exclusions to conceal downloaded components.

Stealit Campaign Abuses Node.js Single Executable Packaging

🔍 FortiGuard Labs identified an active Stealit campaign that distributes malware packaged with Node.js Single Executable Application (SEA) technology to create standalone Windows binaries. Operators deliver fake game and VPN installers via file-sharing sites and Discord, using multi-layer obfuscation and in-memory execution. The modular payloads harvest browser data, extension-based crypto wallets, and provide remote access, with persistence via a startup Visual Basic script. Fortinet provides detections and recommends updating protections and user training.

Cloudflare Workers: A Year of Node.js Compatibility

🔧 Over the past year Cloudflare has significantly expanded Node.js compatibility inside Workers, adding many core modules as native runtime features. The effort includes modules such as node:fs, node:crypto, node:http, node:net, and node:zlib, plus a virtual in-memory file system and native crypto via ncrypto. These changes reduce reliance on polyfills and tooling shims, improve performance and memory usage, and let popular npm packages and frameworks like Express run more seamlessly. Developers enable this with the nodejs_compat flag and can opt in or out of EOL-related APIs using granular compatibility flags.

Running Node.js HTTP Servers on Cloudflare Workers Globally

🚀 Cloudflare has added support for the node:http client and server APIs in Workers, enabling developers to deploy existing Node.js HTTP applications at the edge with minimal code changes. This change makes frameworks like Express and Koa runnable on Workers with zero cold starts, automatic scaling, and reduced latency for global users. The client APIs are implemented on top of Workers' native fetch(), and server integration uses an internal bridge that registers listen(port) rather than binding TCP sockets. Some Node-specific features remain limited or unsupported (the Agent is effectively a no-op; trailers, early hints, 1xx responses, and TLS-specific options are not available).