Newsletter #008: Security wins, npm attacks, and community momentum 🔒
Written by Ulises Gascón
Sep 23, 2025 — 6 min readThis post was originally shared with my GitHub Sponsors. If you’d like to get early access to updates like this and support my open source work, consider becoming a sponsor here. 🙌
Hola everyone! 🎉
Hope you’ve all been doing awesome since our last catch-up. I was expecting August and September to be quiet months, but between the npm Shai-Hulud incident and a ton of security work, it turned out to be packed!
This edition is all about security milestones and community momentum. Let’s dive in! ✨
✨ Securing the Supply Chain with GitHub’s Secure Open Source Fund
I’m thrilled to share that as part of the Express.js maintainer team, I recently joined 125 maintainers from 70+ critical open source projects in the GitHub Secure Open Source Fund.
Over just three weeks the collective impact was massive: more than 50 CVEs disclosed, over 1,100 vulnerabilities remediated, and dozens of projects activating new security features. Secrets were also caught and resolved before they could leak, making the ecosystem stronger for everyone.
This program shows how powerful it is when maintainers, security experts, and platforms come together to level up the security of the open source supply chain. A huge thank you to GitHub for supporting this effort and to the entire maintainer community who made it possible. Securing open source is truly a team sport and I’m proud Express was part of this milestone. ✨
🧐 Strengthening Security with the OpenJS Foundation
Recently the OpenJS Foundation published a blog post detailing the security support it provides to its hosted projects. From clear escalation paths to a dedicated CVE Numbering Authority (CNA), as well as disclosure templates, compliance guides, and proactive threat monitoring, the Foundation is giving maintainers the resources they need to keep critical projects safe and sustainable.
For me, this support translated into real impact across the ecosystem. A great example is my recent work helping to establish the Webpack Security Working Group and co-authoring its Threat Model, inspired by the one we built for Express. Having a formal threat model makes risks clearer, triage faster, and the whole process more transparent for both maintainers and users.
These efforts show how the Foundation creates a multiplier effect. Instead of each project reinventing the wheel, we can share best practices and implement gradual improvements in our collective security posture 🚀
🔒 npm Under Attack: Community Response
Earlier this month, npm was hit by a wave of sophisticated attacks, combining techniques we’ve rarely seen together in the ecosystem. The campaign combined multiple advanced techniques: spear-phishing maintainers for tokens, exfiltrating stolen credentials into public GitHub repos, abusing AI-based developer tools through prompt injection, shipping payloads aimed at client-side persistence, and even experimenting with self-replicating behavior that resembled a worm.
For a full breakdown of the technical details, I recommend checking out StepSecurity’s analysis and Aikido’s write-up.
What I want to highlight here is not just what happened, but how we responded. Within hours of the first reports, the npm team and the OpenJS Foundation organized an emergency security meeting with maintainers and security leads. The discussion quickly focused on one of the most critical issues exposed by the attack: authentication and package publishing flows. The reality is that compromised tokens and weak CI/CD controls remain an open door for attackers, and this incident made that painfully clear.
While the attack was contained, it underlined a bigger truth: the software supply chain is still in a fragile state. Protecting npm — and open source at large — will require stronger safeguards, new practices, and collective effort from all of us in the community.
I’m also currently working on an Incident Response Plan (IRP) at the foundation level to coordinate responses to extraordinary incidents and other edge scenarios. Feel free to participate in the discussion on GitHub.
In the meantime, GitHub also published a public roadmap for strengthening the npm supply chain.
🚀 Express Contributions & New Releases
The Express team has been putting a big effort into contributing upstream and strengthening the ecosystem around the framework. A recent milestone was the transfer of iconv-lite into our organization, where we shipped v0.7.0 with important updates.
We also supported the release of [email protected], adding additional maintainers to ensure the package stays well maintained for the long term.
On the security front, we published a blog post on our latest security releases that covers patches and recommended updates.
🤖 New OpenJS AI Collaboration Space
The OpenJS Foundation has launched a new Collaboration Space dedicated to AI following an engaging discussion on AI-assisted development policies. The space aims to explore how JavaScript powers AI applications, establish best practices around security and responsible use, and create a hub for sharing knowledge across projects.
If you’re interested in shaping the future of AI and JavaScript, you’re welcome to join the conversations. The space is open to everyone, and the discussions are already lively and insightful.
📚 What Else?
The standards world has been busy! TC39 just advanced several proposals, including Intl Era and Month Code, Import Buffer, and Module Global.
Looking ahead, I'm especially excited about two talks proposed for the upcoming Node.js Collab Summit in October 2025: Maintainers Guide to Publishing Security in 2025 and Node.js New Release Schedule. Both are shaping up to be timely and important conversations for the community.
On the Express side, it’s great to see Sebastian Beltran officially joining the Express Security Triage team and on the broader ecosystem, Rafael Gonzaga is now part of the OpenJS Foundation CNA, strengthening the security work across multiple projects.
Another highlight is the release of the OSPO Book 🎉. Huge congratulations to the entire team for bringing this to life, especially Ana Jiménez Santamaría, Alice Sowerby, Fernando Eugenio Correa, and Jan van den Berg. I’m glad I could contribute a little bit back in the early days of this project. You can check it out through the OSPOlogy releases.
Meanwhile in Express, The Great Monkey-Patch Safari has begun 🐒 — an adventure into critical hacks and hotfixes that’s already sparking great discussions. And our Performance Working Group has made solid progress too! If improving Express performance excites you, we’d love your help — come join us here.
🔗 Interesting Stuff
Some awesome reads from my network:
- Open Source Can’t Rely on Magic Piles of Money
- Introduction to JavaScript Security (LFS184)
- Hash state rewind using
{length: -x}
on GHSA-95m3-7q98-8xr5. - Self-hosted AI starter kit with n8n: https://github.com/n8n-io/self-hosted-ai-starter-kit
- Securing Your GitHub Actions by Jaroslav Lobacevski
- Google Chrome at 17 - A history of our browser
🙌 Thank You!
As always, your support as a sponsor makes all of this possible 💖
Whether you’re contributing code, giving feedback, or just following along — thank you!
Stay awesome,
Ulises Gascón