Glassworm Invisible Malware, Node.js Docs MCP and Node.js Permissions Model Updates

Security Vulnerabilities

A Directory Traversal Vulnerability I found in Mastra AI Frameworks MCP Server - A directory traversal vulnerability in the @mastra/mcp-docs-server npm package allows unauthorized directory listing, exposing sensitive information; developers should halt execution on path traversal detection and apply path validation to prevent exploitation.
How AISLE’s Analyzer Found Command Injection in glob’s CLI | AISLE - AISLE’s autonomous analyzer uncovered a command injection vulnerability in the glob CLI’s -c/—cmd flag, affecting versions v10.2.0 to v11.0.3, allowing remote code execution in CI pipelines; users should upgrade to v10.5.0, v11.1.0, or v12.0.0 and review their workflows for unsafe CLI usage.

Proposal - Shift Node.js to Annual Major Releases and Shorten LTS Duration · Issue #1113 · nodejs/Release - The proposal suggests shifting Node.js to an annual major release cycle with a shortened Long-Term Support (LTS) duration of 24 months, aiming to reduce maintenance complexity and provide a clearer roadmap, though it may slow feature availability and face initial community resistance.
permission: propagate permission model flags on spawn by RafaelGSS · Pull Request #58853 · nodejs/node · GitHub - RafaelGSS’s update ensures that spawn and spawnSync now propagate permission model flags, enhancing security by maintaining consistent permission settings across child processes unless explicitly overridden.

GitHub - lirantal/anti-trojan-source: Detect Glassworm & trojan source attacks that employ unicode bidi attacks to inject malicious code - Liran Tal’s “anti-trojan-source” tool detects Unicode-based trojan source attacks, using category-based detection to identify confusable characters, and offers integration with ESLint, CLI, and CI/CD pipelines for enhanced Node.js security.
GitHub - lirantal/mcp-server-nodejs-api-docs: MCP Server for Node.js API documentation - The MCP Server for Node.js API documentation provides a secure way to run and debug the server using npx or Docker, with detailed configuration examples for different platforms, enhancing flexibility and security in deployment.

Defending Against Glassworm: The Invisible Malware That’s Rewriting Supply Chain Security | Snyk - Glassworm is a self-propagating malware targeting VS Code extensions using invisible Unicode characters to hide malicious code, highlighting the need for specialized detection tools like anti-trojan-source to protect against these sophisticated supply chain attacks.
Why XSS Persists in This Frameworks Era? - GMO Flatt Security Research - Despite modern frameworks offering built-in XSS defenses, XSS persists due to diverse sinks, misuse of sanitizers, and gaps in framework coverage, highlighting the need for vigilant input validation, correct use of sanitizers like DOMPurify, and understanding of library specifications to effectively mitigate risks.