惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园_首页
阮一峰的网络日志
阮一峰的网络日志
S
Secure Thoughts
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Threat Research - Cisco Blogs
P
Privacy & Cybersecurity Law Blog
The Hacker News
The Hacker News
H
Heimdal Security Blog
W
WeLiveSecurity
L
LINUX DO - 热门话题
Hacker News: Ask HN
Hacker News: Ask HN
WordPress大学
WordPress大学
The Last Watchdog
The Last Watchdog
Hugging Face - Blog
Hugging Face - Blog
博客园 - 【当耐特】
D
DataBreaches.Net
I
Intezer
Webroot Blog
Webroot Blog
C
Cisco Blogs
AWS News Blog
AWS News Blog
博客园 - 聂微东
T
The Blog of Author Tim Ferriss
V
Vulnerabilities – Threatpost
罗磊的独立博客
Google DeepMind News
Google DeepMind News
N
Netflix TechBlog - Medium
Schneier on Security
Schneier on Security
宝玉的分享
宝玉的分享
博客园 - 叶小钗
PCI Perspectives
PCI Perspectives
D
Docker
Scott Helme
Scott Helme
NISL@THU
NISL@THU
J
Java Code Geeks
B
Blog RSS Feed
Google Online Security Blog
Google Online Security Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
The Exploit Database - CXSecurity.com
AI
AI
美团技术团队
Cloudbric
Cloudbric
月光博客
月光博客
P
Proofpoint News Feed
T
Tailwind CSS Blog
Google DeepMind News
Google DeepMind News
小众软件
小众软件
www.infosecurity-magazine.com
www.infosecurity-magazine.com
The Cloudflare Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org

Hackread – Cybersecurity News, Data Breaches, AI and More

Operation Endgame Disrupts StealC, Amadey and SocGholish Malware Networks New GhostShell Hacking Group Targets Ukraine’s Drone Defense Sector Fake npm Packages Impersonate PostCSS Tool to Steal Chrome Passwords Best Crypto Payment Solutions for E-Commerce Businesses Internet Society Foundation Opens Global Call for Common Good Cyber Fund to Strengthen Cybersecurity LastPass Confirms Customer Data Breach After Klue OAuth Token Theft ‘Cordyceps’ CI/CD Flaw Exposes Microsoft, Google, Apache Repos to Pipeline Hijacking The Rise of AI-Powered Academic Fraud: Beyond Traditional Plagiarism New CryptoBandits Malware Uses USB Drives and Tor to Steal Crypto The Evolution of iGaming Fraud: What Security Teams Should Expect in 2027 2 Scattered Spider-Linked Hackers Plead Guilty Over £39M TfL Cyberattack Beats Studio Buds Flaw Could Let Nearby Attackers Eavesdrop on Users Texas Parks and Wildlife Data Breach Affects Over 3M License Customers Threat Hunting Beyond Alerts: Finding the Activity Detection Misses Scammers Use Fake GitHub Stars, VirusTotal Reviews to Spread Crypto Clipper Salesforce Disables Klue Integration After OAuth Token Theft Hits Customer Data MDR Provider Comparison: Time to Discover and Respond to Threats Gcore Helps Ucom Safeguard Public Live Broadcast Infrastructure During Armenia’s Parliamentary Elections Nintendo America Employee Data Exposed After Shadowbyt3$ Targets TinyPulse eFAQ Publishes Investigation Into Alleged Scam Activity and Coordinated Reputation Attacks FIFA World Cup 2026: Hackers Target Football Fans With Fake Tickets Sites MacBook Neo vs Windows Laptops for Cybersecurity Tasks Operation Endgame Disrupts SocGholish Malware Infrastructure What Businesses Should Know Before Migrating Their CMS DragonForce Ransomware Abused Microsoft Teams to Hide Malware Activity Agentjacking: Researchers Show How One Fake Bug Report Can Hijack AI Coding Agents FortiBleed Attack Exposes Fortinet Firewall Credentials in 194 Countries SpyCloud Report Finds Phishing Attacks Surge as Employee Data Is Exposed at 86% of Fortune 100 Companies 152 Chrome Live Wallpaper Extensions Hid Ad Tracking and Fake Search Clicks Heimdal Survey: Executives Four Times More Confident About AI Risk Than the Teams Managing It ESET MDR vs Sophos MDR: Compared Time to discover and respond to a threat 15 Malicious JetBrains Plugins Caught Stealing DeepSeek, OpenAI API Keys Amos Stealer Targets macOS Keychain Files and Browser Passwords Aembit Extends IAM for Agentic AI to Microsoft Copilot Studio AppViewX Launches Agent Identity Security to Govern Agents for the AI and Quantum Era New Rokarolla Android Trojan Found Targeting 217 Crypto and Banking Apps Developer laptops are the credential store attackers are picking through in 2026, GitGuardian announces Endpoint Protection Best of Android Fax Apps: Top 5 Secure Picks for 2026 Feds Seize CFAKE and SOCFAKE Over Explicit Deepfakes of Famous Women Handala Hacking Group Claims Breach of California Water Service Over 50 Android Apps Found Spreading MagicAd Trojan via Official Stores Hackers Hide New Argamal Malware Inside Working Hentai Games Extradited Ukrainian Man Admits Role in Conti Ransomware Attacks Atomic Arch Campaign Hijacks 20+ Linux AUR Packages to Deliver Malware ShinyHunters Target Universities in Oracle PeopleSoft Zero-Day Attack The SpaceX Pre-IPO Market: How Crypto Rails Are Opening Synthetic Access Feds Seize AudiA6 and Dark2Web in $389M Crypto Laundering Case ShinyHunters Leak 40GB of University of Nottingham Student Data Authorities Dismantle Decade-Old SniperDZ Phishing Network Criminal IP at Infosecurity Europe 2026: Introducing AITEM, the Next Chapter of Attack Surface Management Hackers Use Fake Claude Code Guide and AI PDFs to Spread AsyncRAT Malware The Hidden Security Risks of Poor Software Testing FBI Seizes China-Linked Fake Consulting Sites Targeting US Clearance Holders How to Turn Images into Animated Videos with AI: A Wondershare Filmora Guide Scammers Use TikTok and Instagram Reels to Spread Vidar Infostealer ServiceNow Discloses Security Incident Exposing Customer Data Cloud Security Report Finds Fragmented Tools Widening the Cloud Complexity Gap Microsoft June 2026 Patch Tuesday Fixes 206 Flaws and 3 Zero-Days Network Log Analysis: Why Collecting Logs is Not Enough E-Signature Security Checklist Before Selecting an E-Signature Tool Maine Govt Portal Lists 10M Discord Data Breach Notice, But Filing Shows Red Flags Handala Claims Israeli Radar Hack, But Evidence Shows Phone Admin Panel WhatsApp Says It Blocked Pegasus Spyware Campaign Linked to NSO Operation FlutterBridge Uses Fake Google Ads to Spread macOS Backdoor Hackers Clone Ghidra, dnSpy and Other Tool Sites to Spread Malware Silent Ransom Group Uses Fast Flux Botnet to Hide Law Firm Leak Sites New Pink Extortion Group Targets Microsoft 365 Cloud Data Via Vishing Scams Miasma Malware Hits 32 Red Hat Packages via Compromised GitHub Account Atlas Menu Data Breach Exposes 64,000 GTA V and CS2 Cheat Service Users Reaper macOS Infostealer Abuses Script Editor to Steal Crypto and Passwords iFood Confirms Data Breach Affecting 1.2 Million Users in Brazil Why eSIMs Are Replacing Traditional SIM Cards Lazarus Group Uses npm Brandjacking Campaign to Target Developers Five Eyes Warns Chinese Spies Are Using Fake Job Ads to Target Military Staff How to Recover Data from iCloud Backup Without Resetting Your iPhone China-Linked TA4922 Hackers Target UK, Europe With New SilentRunLoader Malware Alcasec, "Robin Hood of Spanish Hackers," Jailed for 31 Months Over Data Theft Fake ChatGPT Desktop App Ads Used to Push Password-Stealing Malware Hackers Abused Meta’s AI Support Bot to Hijack Major Instagram Accounts New WordPress Malware Uses Steam Profile Comments to Hide C2 Instructions Halo Security Honored with 2026 MSP Today Product of the Year Award Why Encrypted File Sharing Is Essential for Modern Businesses What One Predator Case Can Reveal About an Online Platform’s Safety Gaps RaccoonLine Publishes 2026 dVPN Buyer’s Guide for Privacy-Focused Users How to Get a Reddit API Key in 2026: Step-by-Step Guide Zero-Click pretalx XSS Flaw Lets Hackers Hijack Conference Organizer Accounts How to Get the Most From Your Explainer Video Production Services Fake Purchase Order Emails Spread Fileless PureLogs Malware via RAR Archives 27,000-Download Codex UI Tool Secretly Stole OpenAI Refresh Tokens Fake Anthropic Sites Deliver Fileless Infostealer to Claude Code Users The Deliverability Problem: How New Platforms Are Solving Inbox Placement The CISO Whisperer's Watch List For The Gartner Security & Risk Management Summit 2026 Can Big Data Predict Market Movements Accurately? Iran’s Nimbus Manticore Used Trojanized Zoom Installers Against US Firms How Can MSSPs Scale Threat Detection Without Burning Out Their Analysts? Link11 is fully committed to Europe and is opening a Customer Excellence Hub in Lisbon Trojanized Gemini and Claude Installers Target Developers Via SEO Poisoning Claude Mythos AI Identified 10,000+ Software Vulnerabilities in One Month FBI Chief Kash Patel’s Clothing Store Hacked in ClickFix Infostealer Attack Netherlands Busts Bulletproof Hosting Network Linked to Disinfo and Cybercrime
Meteor 3.0 Migration Helped Rocket.Chat Move Off End-of-Life Node.js Runtime
Owais Sultan · 2026-06-20 · via Hackread – Cybersecurity News, Data Breaches, AI and More

Node.js 14 went end-of-life on April 30, 2023, leaving some framework-dependent applications on an unsupported runtime while upstream projects completed major migration work.

One of the most visible downstream cases was Rocket.Chat, a communications platform whose federal government page states that it is “trusted across the federal stack with DoD ATO up to IL6” and displays NIPR, SIPR, and JWICS badges alongside the DoD seal.

Rocket.Chat CTO Rodrigo Nascimento said in a GitHub discussion that the platform could not move to a supported Node.js version until Meteor 3.0 was out. The blocker was the framework.

The Node.js 14 Problem for Meteor Applications

Meteor remains active across the open-source and commercial software ecosystem. The project has 44,800-plus GitHub stars, while Wappalyzer, TheirStack, and Enlyft show Meteor being used by live companies. npm download data for meteor-node-stubs also points to continued activity, with weekday activity in May and June 2026 noticeably higher than early 2025 levels.

The technical problem came down to one library: node-fibers. Meteor relied on it to make asynchronous code behave synchronously, a practical workaround that later became a structural liability. When Node.js 16 arrived, node-fibers stopped working. That meant any Meteor application wanting to move to a supported runtime had to remove Fibers and rebuild around native async/await. This was not a routine patch. It required a programming model change.

The gap between identifying the problem and completing the migration opened in June 2021 and stayed open for years. GitHub Discussion #11505 laid out why the transition needed to happen. But knowing a migration is needed and completing it across a large framework are different problems. Meteor continued shipping with node-fibers. Node.js 14 reached EOL. The migration still had to be completed.

The Migration Approach

Meteor Software, the company behind both Meteor.js and the Galaxy hosting platform, restructured in 2022 and brought in new leadership. Henrique Schmaiske joined as the first technical hire under the incoming CEO. He became one of three core contributors who helped take Meteor 3.0 from problem to release.

The team had a choice: deliver one large breaking release, or provide a path developers could follow in stages. They chose the second option. Versions 2.8 and 2.9 introduced async versions of major components, including Meteor.callAsync, a reworked MongoDB API, OAuth, and accounts-password, before Fibers were removed. Downstream teams were given a runway to prepare.

In March 2023, Meteor published a public roadmap thread on the Meteor Forum: “Fibers Public Roadmap and Meteor 3.0.” Weekly updates followed over the next two years. That mattered because organizations running their own security, compliance, and upgrade timelines needed visibility into when the migration would land and what was still in progress.

Schmaiske held CODEOWNER status on the meteor/meteor repository. His sign-off was required for changes touching key parts of the codebase. The role covered roadmap definition, migration sequencing, and direct coordination with major downstream consumers.

Henrique-Schmaiske

Meteor 3.0 Ships

Meteor 3.0 landed on July 16, 2024. The work behind it was substantial: 2,300-plus commits, more than 800 modified files, and over 200 pull requests. node-fibers was removed. The codebase moved to native async/await, Connect gave way to Express, and Node.js 20 support arrived with the release.

Schmaiske worked directly with Rocket.Chat’s engineering team through the migration. Rocket.Chat runs on Meteor and React, with framework code inside the apps/meteor/ directory of its monorepo. For Rocket.Chat’s engineers, the Meteor 3.0 transition was not an abstract upstream change. It affected their production codebase directly.

Rocket.Chat 7.0.0 shipped on November 1, 2024. The release notes confirmed the move to Node.js 20.x and Meteor 3.0. Pull request #31438 in the same release named Fibers removal directly. For a platform carrying DoD ATO up to IL6 and operating across NIPR, SIPR, and JWICS environments, this was more than a routine version bump. It brought the runtime back onto a supported foundation.

There is no indication that the runtime gap was exploited against Rocket.Chat. The issue is that unsupported runtimes create audit, patching, and exposure risks even when no public CVE or active exploit is involved.

Supply-Chain Risk Without a CVE

Meteor 3.0 puts a name to a category of supply-chain risk that standard vulnerability management does not always catch. No CVE was filed. No exploit was circulating. The exposure was structural: an unsupported runtime underneath a downstream ecosystem, including software used in environments where security and compliance requirements are strict.

Rocket.Chat is the most visible case, not the only one. ANY.RUN, Qualia, and Clinical Meteor all point to Meteor’s presence across security, healthcare, real estate, and enterprise software. Decisions made deep inside the Meteor.js codebase can reach production environments where reliability is expected.

That is the main lesson. Framework modernization is not only a developer convenience. In large open-source ecosystems, the gap between a documented problem and a completed fix can affect many downstream users. EOL dates do not always trigger immediate action. They pass, and the consequences move downstream.

What made Meteor 3.0 manageable was not technical work alone. It was the public roadmap, the staged migration path, weekly progress updates, and direct coordination with teams most likely to be affected. Whether this becomes a model for how open-source projects handle runtime debt will depend on whether maintainers treat EOL dependencies as a supply-chain risk before they become someone else’s incident report.

Sources

  1. Meteor Software. (2023, March 2). Fibers public roadmap and Meteor 3.0 (Forum post). Meteor Forum. https://forums.meteor.com/t/fibers-public-roadmap-and-meteor-3-0/59627
  2. Meteor Software. (2024, July 16). It’s official, Meteor 3.0 official release is out! (Forum post). Meteor Forum. https://forums.meteor.com/t/its-official-meteor-3-0-official-release-is-out/61860
  3. meteor/meteor. (n.d.). Meteor.js (Source code repository). GitHub. https://github.com/meteor/meteor
  4. meteor/meteor. (2021, June). Change how Meteor executes async code (Discussion #11505). GitHub. https://github.com/meteor/meteor/discussions/11505
  5. Nascimento, R. (2023, June). NodeJS 14 end of life (Discussion #29658). GitHub. https://github.com/orgs/RocketChat/discussions/29658
  6. Rocket.Chat. (n.d.). Secure collaboration for the US federal government. https://www.rocket.chat/industry/us-federal-government
  7. RocketChat. (2024, November 1). Release 7.0.0 (Software release). GitHub. https://github.com/RocketChat/Rocket.Chat/releases/tag/7.0.0
  8. RocketChat. (2024). feat!: Meteor 3.0 – Node.js 20 (Pull request #31438). GitHub. https://github.com/RocketChat/Rocket.Chat/pull/31438