Cryptographically valid malware hits npm

Plus: what $$$ does in DevTools, Rolldown 1.0, and Vercel's new cross-platform desktop app framework.

#​785 — May 12, 2026 Read on the Web Together with  JavaScript Weekly Anatomy of the TanStack npm Compromise — A new strain of the Shai-Hulud worm pushed malicious versions of TanStack packages to npm yesterday (containing a tripwire that would delete files if it detected token revocation), though it hit ~170 other packages too. Maintainer credentials weren’t stolen, with the attack instead chaining pull_request_target abuse, cache poisoning, and OIDC token theft from CI memory. Tanner Linsley ❓ What should you do? Consider an install-time cooldown (e.g. with npm config set min-release-age=7 or pnpm's minimumReleaseAge), as the packages were only compromised for 26 minutes. Plus, audit your GitHub Actions workflows for security issues with a tool like zizmor. Next.js Debugging Workshop: Logs, Tracing, Full Context — Stop jumping between tools to piece together a Next.js bug. Sentry's hands-on workshop shows you how to write logs that explain where, what, and why, then connect them to traces across client and Node runtimes. Register today. Sentry sponsor Announcing Rolldown 1.0: The High Performance JS Bundler — The Rust-based bundler built as the backbone for Vite 8 reaches a stable v1.0. You get huge performance gains, but with Rollup plugin API compatibility: it's 10–30x faster than Rollup, with early adopters reporting big drops in build time. The VoidZero Team IN BRIEF: The notes from Node.js's recent collaboration summit make for good reading if you want to see what the Node team is working on right now. Regarding Bun's experimental port to Rust (from Zig), Jarred Sumner says the now-960k LOC rewrite passes 99.8% of Bun's pre-existing test suite. 🤖 A developer has launched a challenge to port NetHack to JavaScript. Can LLMs port the complex roguelike game perfectly? So far, no, with the leaderboard showing a transpiled version coming closest. Did you know Firefox has a $$$ helper for querying through the Shadow DOM? RELEASES: Jest 30.4.0 – A strong release for the popular JavaScript testing framework as it improves ESM, Temporal and React 19 support. Node 26.1 (Current) – Last week's big Node 26 release may have had the Temporal API, but 26.1 adds (experimental) official FFI support. I did a writeup of what this means at the end of last week's Node Weekly. Electron 42 – Updates to Chromium 148/Node 24.15/V8 14.8 and no longer downloads the Electron binary in a postinstall script for added security. Capacitor 9.0 Alpha 1, Playwright 1.60.0, Mantine 9.2 📖  Articles and Videos 33 JavaScript Concepts — What began life as a Medium article and turned into a popular GitHub repo is now a full site covering a wide array of JavaScript concepts, even going beyond the 33. Leonardo Maldonado 9 Times the Web Platform Was Influenced by JavaScript Libraries — How various libraries like Lodash, Dojo and jQuery often did the “R&D work in production” for various features that eventually ended up in browser APIs. Jad Joubran Easy and Rapid Azure Migrations. Azure Copilot Migration Agent — Check out Microsoft’s Introduction to Azure Copilot Agents free learning module to learn more and try it yourself. Microsoft Azure Copilot Migration Agent sponsor From React to Web Components: A Migration That Saved 100 KB — “How I migrated a site from React to native Web Components, why that worked better than I expected, and how the patterns I used along the way grew into a small library called nanotags.” Pavel Grinchenko (Evil Martians) Why Migrate to Valibot? — Valibot is a light, modular TypeScript schema validation library and an alternative to the likes of Zod. v1.4.0 just dropped, too. Fabian Hiller 📄 A Vanilla Routing Experiment – A look at the tripping points when building client-side routing for a small site without using a framework. Daniela Baron 📄 Preserving DOM Changes Across Live Reloads Kitty Giraudel 📄 I Keep Tripping Over true, false, true Matt Smith 📄 Stop Using Yarn Classic Nicolas Charpentier 📄 Introducing TanStack Form Adam Rackis 🛠 Code & Tools zero-native: Build Desktop Apps with Zig + WebView — Vercel Labs’ entry into the Neutralinojs/Electron/Tauri space for building native HTML+JS desktop apps atop a Zig core and the system WebView or Chromium. There are examples covering how to build vanilla, React, Svelte, and Vue apps on it. GitHub repo. Vercel That API Call Takes 3 Seconds. It's Not the Network — It's the analytics query behind it. TimescaleDB extends Postgres so queries stay fast at scale. $1000 credit to start. Tiger Data (creators of TimescaleDB) sponsor Wakaru: Pull Apart Minified JavaScript Bundles — A tool you can feed minified bundled code and get readable modules back, whether for recovering code, reverse-engineering, or security auditing. You can try it online here. Pionxzh BlueJS: Compile JavaScript to Tiny Binaries — An ahead-of-time compiler for JavaScript with QuickJS optionally embedded for dynamic features and package support. While closed source, the raw numbers are compelling (~5ms startup; 3.8MB peak memory use, and a GUI app in a 1.2MB binary). BlueJS 💡 PerryTS is another (open source) option in this space worth a look. pnpm 11.1 – Supports a new gh: prefix for GitHub Packages, pnpm bugs opens a package's bug tracker in the browser, and pnpm audit signatures verifies ECDSA registry signatures against keys. Astro 6.3 – Adds experimental support for advanced routing: control how requests flow through your app, with full support for frameworks like Hono. Syncpack 15.0 – Large JavaScript monorepo dependency version manager. Now with full support for pnpm and Bun catalogs. 📱 Expo SDK 56 Beta – The popular React Native framework gets a speed boost and the Jetpack Compose and SwiftUI APIs go stable. MDXEditor 4.0 – Powerful Markdown editor React component. 📰 Classifieds Flaky tests slowing down dev? Meticulous gives engineers confidence to ship faster by autonomously testing every edge case of your web app. 🔎 Detect, Highlight, Fix Accessibility - Test for WCAG & ARIA in the browser! Get A11yInspect Pro Free for 1 year - A developer friendly tool. Join the waitlist.

Published by Cooperpress and edited by Peter Cooper 'JavaScript' is a trademark of Oracle Corporation in the US We are not endorsed by or affiliated with Oracle. Change your email address or stop getting this newsletter. © Cooper Press Ltd · Fairfield Enterprise Centre, Louth, LN11 0LS, United Kingdom