Cryptographically valid malware hits npm

#​785 — May 12, 2026

Read on the Web

JavaScript Weekly

Anatomy of the TanStack npm Compromise — A new strain of the Shai-Hulud worm pushed malicious versions of TanStack packages to npm yesterday (containing a tripwire that would delete files if it detected token revocation), though it hit ~170 other packages too. Maintainer credentials weren’t stolen, with the attack instead chaining pull_request_target abuse, cache poisoning, and OIDC token theft from CI memory.

Tanner Linsley

❓ What should you do? Consider an install-time cooldown (e.g. with npm config set min-release-age=7 or pnpm's minimumReleaseAge), as the packages were only compromised for 26 minutes. Plus, audit your GitHub Actions workflows for security issues with a tool like zizmor.

Next.js Debugging Workshop: Logs, Tracing, Full Context — Stop jumping between tools to piece together a Next.js bug. Sentry's hands-on workshop shows you how to write logs that explain where, what, and why, then connect them to traces across client and Node runtimes. Register today.

Sentry sponsor

Announcing Rolldown 1.0: The High Performance JS Bundler — The Rust-based bundler built as the backbone for Vite 8 reaches a stable v1.0. You get huge performance gains, but with Rollup plugin API compatibility: it's 10–30x faster than Rollup, with early adopters reporting big drops in build time.

The VoidZero Team

IN BRIEF:

• The notes from Node.js's recent collaboration summit make for good reading if you want to see what the Node team is working on right now.

• Regarding Bun's experimental port to Rust (from Zig), Jarred Sumner says the now-960k LOC rewrite passes 99.8% of Bun's pre-existing test suite.

• 🤖 A developer has launched a challenge to port NetHack to JavaScript. Can LLMs port the complex roguelike game perfectly? So far, no, with the leaderboard showing a transpiled version coming closest.

• Did you know Firefox has a $$$ helper for querying through the Shadow DOM?

RELEASES:

• Jest 30.4.0 – A strong release for the popular JavaScript testing framework as it improves ESM, Temporal and React 19 support.

• Node 26.1 (Current) – Last week's big Node 26 release may have had the Temporal API, but 26.1 adds (experimental) official FFI support. I did a writeup of what this means at the end of last week's Node Weekly.

• Electron 42 – Updates to Chromium 148/Node 24.15/V8 14.8 and no longer downloads the Electron binary in a postinstall script for added security.

• Capacitor 9.0 Alpha 1, Playwright 1.60.0, Mantine 9.2

📖  Articles and Videos

33 JavaScript Concepts — What began life as a Medium article and turned into a popular GitHub repo is now a full site covering a wide array of JavaScript concepts, even going beyond the 33.

Leonardo Maldonado

9 Times the Web Platform Was Influenced by JavaScript Libraries — How various libraries like Lodash, Dojo and jQuery often did the “R&D work in production” for various features that eventually ended up in browser APIs.

Jad Joubran

Easy and Rapid Azure Migrations. Azure Copilot Migration Agent — Check out Microsoft’s Introduction to Azure Copilot Agents free learning module to learn more and try it yourself.

Microsoft Azure Copilot Migration Agent sponsor

From React to Web Components: A Migration That Saved 100 KB — “How I migrated a site from React to native Web Components, why that worked better than I expected, and how the patterns I used along the way grew into a small library called nanotags.”

Pavel Grinchenko (Evil Martians)

Why Migrate to Valibot? — Valibot is a light, modular TypeScript schema validation library and an alternative to the likes of Zod. v1.4.0 just dropped, too.

Fabian Hiller

📄 A Vanilla Routing Experiment – A look at the tripping points when building client-side routing for a small site without using a framework. Daniela Baron

📄 Preserving DOM Changes Across Live Reloads Kitty Giraudel

📄 I Keep Tripping Over true, false, true Matt Smith

📄 Stop Using Yarn Classic Nicolas Charpentier

📄 Introducing TanStack Form Adam Rackis

🛠 Code & Tools

zero-native: Build Desktop Apps with Zig + WebView — Vercel Labs’ entry into the Neutralinojs/Electron/Tauri space for building native HTML+JS desktop apps atop a Zig core and the system WebView or Chromium. There are examples covering how to build vanilla, React, Svelte, and Vue apps on it. GitHub repo.

Vercel

That API Call Takes 3 Seconds. It's Not the Network — It's the analytics query behind it. TimescaleDB extends Postgres so queries stay fast at scale. $1000 credit to start.

Tiger Data (creators of TimescaleDB) sponsor

Wakaru: Pull Apart Minified JavaScript Bundles — A tool you can feed minified bundled code and get readable modules back, whether for recovering code, reverse-engineering, or security auditing. You can try it online here.

Pionxzh

BlueJS: Compile JavaScript to Tiny Binaries — An ahead-of-time compiler for JavaScript with QuickJS optionally embedded for dynamic features and package support. While closed source, the raw numbers are compelling (~5ms startup; 3.8MB peak memory use, and a GUI app in a 1.2MB binary).

BlueJS

💡 PerryTS is another (open source) option in this space worth a look.

• pnpm 11.1 – Supports a new gh: prefix for GitHub Packages, pnpm bugs opens a package's bug tracker in the browser, and pnpm audit signatures verifies ECDSA registry signatures against keys.

• Astro 6.3 – Adds experimental support for advanced routing: control how requests flow through your app, with full support for frameworks like Hono.

• Syncpack 15.0 – Large JavaScript monorepo dependency version manager. Now with full support for pnpm and Bun catalogs.

• 📱 Expo SDK 56 Beta – The popular React Native framework gets a speed boost and the Jetpack Compose and SwiftUI APIs go stable.

• MDXEditor 4.0 – Powerful Markdown editor React component.