Security | Threat Detection | Cyberattacks | DevSecOps | Compliance



You should be using HTTP Strict Transport Security (HSTS) headers in your Node.js server

For most websites and apps, employing security-related HTTP headers has become standard practice. Websites use headers as part of HTTP requests and replies to convey information about a page or data sent via the HTTP protocol. They might include a Content-Encoding header to indicate that the content is a compressed zip file or a Location header to specify a redirect URL.


No Festive Break for Security as Attackers Target Almost 300 NPM Packages

Although it’s the holiday season, the festive spirit doesn’t extend to cyber attackers, who consider this a great opportunity to cause havoc. But the Mend research team doesn’t rest, and remains alert for threats and vulnerabilities. Our vigilant team has detected an attack on npm packages that utilized typosquatting to compromise nearly 300 NPM packages. Let’s take a look at the nature of the attack and what we did to protect our systems and our users.


How to build a secure API gateway in Node.js

Microservices offer significant advantages compared to monoliths. You can scale the development more easily and have precise control over scaling infrastructure. Additionally, the ability to make many minor updates and incremental rollouts significantly reduces the time to market. Despite these benefits, microservices architecture presents a problem — the inability to access its services externally. Fortunately, an API gateway can resolve this issue.


How to handle Node.js file uploads with Fastify

File uploading is a commonly needed functionality in web applications. Because of this, many web frameworks provide ways to allow server-side applications to accept files and work with them. This is the same with Fastify, which is a Node.js web framework that is often regarded as a successor to Express. It’s fast and highly focused on providing the best developer experience with a powerful plugin architecture and the least overhead possible.


A Busy Weekend for npm Attacks, Including 'cors' Typosquatting

‘Tis the season for a busy weekend of software supply chain attacks. Over the past three days, the Mend research team identified two separate attacks that published malicious packages to npm. Mend Supply Chain Defender quickly identified the malicious code; the owners were notified, and the packages were removed. That does not fully remove the risk, however. The first package has 9.5 million downloads, while account CI keys were compromised in the second, which can cause significant damage.


How to Secure NodeJS API?

If you are building an API, you are most likely evaluating the pros and cons of available technologies. Sooner or later, you will surely come across NodeJS. NodeJS helps to create stable, scalable, and backward-compatible APIs. Besides the functionalities, you can’t overlook the security risk that comes with them. When misconfigured, insecure APIs leave your companies with high-profile cyber-attacks. Like any APIs, those developed with NodeJS come with security threats.


NPM security: preventing supply chain attacks

NPM security has been a trending topic in the media in recent years, mostly in reference to npm packages available on the ecosystem rather than the npm registry itself. The increasing security risk, that applies to developers and software we build, makes it even more important to understand how to prevent supply chain attacks and other security vulnerabilities related to software development life cycle.

Understanding NPM Dependency Confusions - What You Need to Know

NPM Dependency Confusion Join us in this livestream as we learn about NPM Dependency Confusions and what it is. If you have ever been confused about the topic, then this video will explain it you, as well as give you some practical examples. Didn't catch the live stream? Ask all of your Snyk questions and we’ll do our very best to answer them in the comment section. Snyk helps software-driven businesses develop fast and stay secure. Continuously find and fix vulnerabilities for npm, Maven, NuGet, RubyGems, PyPI and more.

Node.js multithreading with worker threads series: worker_threads tutorial

Node.js provides a single-threaded JavaScript run-time surface that prevents code from running multiple operations in parallel. If your application typically employs synchronous execution, you may encounter blocks during long-running operations. However, Node.js itself is a multi-threaded application. This is evident when you use one of the standard library’s asynchronous methods to perform I/O operations, such as reading a file or making a network request.


Cybercriminals targeted users of packages with a total of 1.5 billion weekly downloads on npm

Another week, another supply chain incident. It’s been only nine days since the Mend research team detected the dYdX incident, and today we have detected another supply chain malicious campaign. On October 02, 2022 at 12:12 UTC, a new npm account was registered, and a package called nuiversalify was immediately uploaded. The same threat actor then proceeded to publish more typo/spellcheck squattings of popular packages until 14:03:29 UTC, with small but irregular time gaps between uploads.