
Research
/Security News
Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader
North Korean threat actors deploy 67 malicious npm packages using the newly discovered XORIndex malware loader.
Sarah Gooding
May 29, 2025
The OpenJS Foundation can now assign CVE identifiers for vulnerabilities in more than 40 JavaScript projects it hosts, including popular tools like ESLint, Express, webpack, Fastify, and Electron. The foundation was approved as a CVE Numbering Authority (CNA) under Red Hat’s open source root on May 28.
While each project remains responsible for managing its own vulnerability disclosures, OpenJS can now act as an intermediary for CVE assignment, helping projects navigate reporting and publication.
The move is part of a broader push to improve security infrastructure across the open source JavaScript ecosystem, particularly for projects maintained by volunteers.
OpenJS' CNA scope is limited. It only applies to projects hosted by the foundation, and specifically excludes:
As of the latest update (May 28, 2025), 40 projects fall under this CNA’s scope:
Node.js is notably listed but continues to operate its own CNA for now. While the announcement mentions that Node.js may consider transitioning under the OpenJS CNA, no changes have yet been made.
It’s important to note that, according to its security policy, the foundation’s role is limited to CVE assignment and coordination support:
The OpenJS Foundation does not provide a central technical security function and thus does not directly receive, triage, or remediate security vulnerabilities on behalf of its hosted projects.
OpenJS does not triage or patch vulnerabilities itself. Instead, it supports maintainers in doing so. Each project is still independently responsible for its vulnerability disclosure process, meaning security researchers must:
security.md
or listed disclosure policyThis ensures the CNA acts more like an escalation and coordination layer, rather than a front-line vulnerability response team.
By establishing a CNA, OpenJS aims to reduce friction in CVE issuance for hosted projects, particularly for under-resourced or volunteer-maintained ones that lack structured security response workflows. This could help:
It also helps OpenJS projects participate more fully in the broader CVE ecosystem without maintainers needing to directly engage with MITRE or go through third-party CNAs like GitHub or HackerOne.
The CNA designation complements OpenJS’ ongoing work in the Security Collaboration Space, backed by Alpha-Omega, which provides templates, disclosure guides, and weekly community meetings. This new CNA designation has the potential to streamline how JavaScript maintainers handle vulnerability reports and reduce friction for security researchers.
Maintainers can request help not only with CVE assignment but also with improving their disclosure workflows, drafting advisories, or navigating coordinated release timelines.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
/Security News
North Korean threat actors deploy 67 malicious npm packages using the newly discovered XORIndex malware loader.
Security News
Meet Socket at Black Hat & DEF CON 2025 for 1:1s, insider security talks at Allegiant Stadium, and a private dinner with top minds in software supply chain security.
Security News
CAI is a new open source AI framework that automates penetration testing tasks like scanning and exploitation up to 3,600× faster than humans.