Malicious npm package 'esbuild-linux-arm32' discovered — immediate audit and cleanup advised
Key update
On August 14, 2025 an npm package named esbuild-linux-arm32 was identified as containing malicious code (OSV entry MAL-2025-19818). This is not a bug in the upstream esbuild codebase but a malicious or compromised package in the npm namespace that can be pulled into projects by loose dependency graphs, mirror/proxy misconfigurations, or careless installs.
Why it matters
esbuild is embedded in many frontend toolchains (Vite, frameworks, build tools). A malicious esbuild-* binary package in your dependency graph means an attacker could execute arbitrary code during install or when the dev server/binary runs, which risks code theft, secret exfiltration, or supply-chain persistence. Practical immediate actions: check your lockfile and node_modules for any esbuild-* packages you did not expect, run npm ci (or equivalent) from a pinned lockfile rather than installing untrusted new packages, remove any esbuild-linux-arm32 package, rotate credentials that were available to the affected environment, and add package/name allowlists or package-provenance checks in CI. For teams, enforce strict lockfile usage, cache or mirror trusted packages, and add automated scans for malicious/mismatched package names.
Source
Read Next
Node.js v25 scheduled for 2025‑10‑15 — semver‑major release imminent
September 30, 2025Node.js v25 is scheduled for October 15, 2025 (commit cutoff 2025‑09‑15). Teams should run CI against the new major, validate native modules, and prepare canary deployments.
Azure Functions Proxies: community support ends 2025‑09‑30 — migrate off Proxies now
September 29, 2025Azure announced Azure Functions Proxies will be unsupported after 2025‑09‑30; teams still using Proxies must inventory and migrate to a supported API surface (APIM, Front Door, or a lightweight reverse proxy) immediately.
NodeShield: runtime SBOM enforcement (CBOM) for Node.js limits supply‑chain attacks with negligible overhead
September 28, 2025A new paper introduces NodeShield, a runtime enforcement system that uses SBOMs extended with per‑dependency capabilities (CBOM) to prevent supply‑chain abuses in Node.js with ~98% effectiveness and <1ms overhead.