The latest JavaScript update dropped recently, with three big new features that are worth your time. Also this month: A fresh look at Lit, embracing the human side of AI-driven development, and more.

React conquered XSS? Think again. That's the reality facing JavaScript developers in 2025, where attackers have quietly evolved their injection techniques to exploit everything from prototype ...

A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it. According to Wordfence researchers, the malware ...

An ongoing campaign that infiltrates legitimate websites with malicious JavaScript injects to promote Chinese-language gambling platforms has ballooned to compromise approximately 150,000 sites to ...

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

A new JavaScript obfuscation method utilizing invisible Unicode characters to represent binary values is being actively abused in phishing attacks targeting affiliates of an American political action ...

Abstract: NoSQL injection is a security vulnerability that allows attackers to interfere with an application’s queries to a NoSQL database. Such attacks can result in bypassing authentication ...

I attempted to detect this vulnerability in our codebase but it doesn't get picked up. Similar to #7586 and #7591 but I can't quite see what changes are required to ...

Abstract: Most web programs are vulnerable to cross site scripting (XSS) that can be exploited by injecting JavaScript code. Unfortunately, injected JavaScript code is difficult to distinguish from ...