
Security News
npm ‘is’ Package Hijacked in Expanding Supply Chain Attack
The ongoing npm phishing campaign escalates as attackers hijack the popular 'is' package, embedding malware in multiple versions.
Sarah Gooding
June 2, 2025
The 108th TC39 meeting took place last week in A Coruña, Spain, hosted by Igalia. Nine JavaScript proposals advanced during the meeting, and four are moving to Stage 4. Array.fromAsync
, Error.isError
, and the new using
declaration for explicit resource management are now headed into the ECMAScript specification.
Here’s a quick look at what’s next for the language.
Array.fromAsync
to Stage 4#Array.fromAsync
, a long-awaited utility for collecting async iterables into arrays, has conditionally advanced to Stage 4. Championed by J. S. Choi, it works like Array.from
but for async data sources, eliminating the need for manual for await...of
loops. Popularized in userland via libraries like it-all
, the proposal now set to become a native part of JavaScript, pending final editor sign-off.
Error.isError
to Stage 4#Error.isError
, a new built-in method for reliably detecting error objects, has advanced to Stage 4, championed by Jordan Harband. It provides a standardized way to check whether a given value is an instance of an error, resolving long-standing inconsistencies with cross-realm and custom error detection. The method already exists as a polyfill (error.iserror
on npm), and the proposal will now become a native part of JavaScript.
using`
to Stage 4#The Explicit Resource Management proposal, championed by Ron Buckton, has conditionally advanced to Stage 4. The proposal introduces using
and await using
declarations along with Symbol.dispose
and Symbol.asyncDispose
, enabling deterministic cleanup of resources like file handles, streams, and locks.
By mirroring patterns from languages like C#, Python, and Java, this addition makes structured resource management more ergonomic and less error-prone in both sync and async JavaScript code. Final advancement is pending review of tests and editor approval.
In addition to the three proposals advancing to the specification, TC39 moved forward six others: Immutable ArrayBuffer reached Stage 3, bringing a new primitive for safely sharing binary data across threads. Advancing to Stage 2 were Math.clamp and a Seeded Pseudo Random Numbers, both offering improved math capabilities and greater reproducibility.
Meanwhile, Keep Trailing Zeros, Inspector (originally part of the Comparisons proposal), and Random Functions entered Stage 1, beginning their journey through the standardization process.
The full agenda from the meeting is available here. TC39 plans to publish the official notes in approximately three weeks.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
The ongoing npm phishing campaign escalates as attackers hijack the popular 'is' package, embedding malware in multiple versions.
Security News
A critical flaw in the popular npm form-data package could allow HTTP parameter pollution, affecting millions of projects until patched versions are adopted.
Security News
Bun 1.2.19 introduces isolated installs for smoother monorepo workflows, along with performance boosts, new tooling, and key compatibility fixes.