惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Hacker News
The Hacker News
F
Full Disclosure
Cloudbric
Cloudbric
Blog — PlanetScale
Blog — PlanetScale
W
WeLiveSecurity
N
News and Events Feed by Topic
T
Troy Hunt's Blog
V2EX - 技术
V2EX - 技术
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
B
Blog
GbyAI
GbyAI
C
Check Point Blog
B
Blog RSS Feed
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Recorded Future
Recorded Future
The Last Watchdog
The Last Watchdog
N
News and Events Feed by Topic
T
The Blog of Author Tim Ferriss
O
OpenAI News
V
V2EX
人人都是产品经理
人人都是产品经理
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
IT之家
IT之家
WordPress大学
WordPress大学
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Security @ Cisco Blogs
C
Cisco Blogs
Security Latest
Security Latest
S
Security Affairs
V
Visual Studio Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Hacker News - Newest:
Hacker News - Newest: "LLM"
博客园 - 司徒正美
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Microsoft Azure Blog
Microsoft Azure Blog
Last Week in AI
Last Week in AI
AWS News Blog
AWS News Blog
雷峰网
雷峰网
Apple Machine Learning Research
Apple Machine Learning Research
PCI Perspectives
PCI Perspectives
博客园_首页
U
Unit 42
Google DeepMind News
Google DeepMind News
Hugging Face - Blog
Hugging Face - Blog
Project Zero
Project Zero
Cisco Talos Blog
Cisco Talos Blog
The Register - Security
The Register - Security
N
Netflix TechBlog - Medium
L
LINUX DO - 热门话题
H
Hacker News: Front Page

Socket

Suno Breached via Shai-Hulud Worm, Leaked Code Exposes AI Mu... 11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windo... Compromised npm Packages in the AsyncAPI Namespace Deliver M... jscrambler npm Package Compromised in Supply Chain Attack - ... Fake Braintree NuGet Package Skims Credit Cards and Harvests... Compromised Injective SDK npm Package Exfiltrates Wallet Key... npm v12 Ships With Install Scripts Off by Default, Begins De... Malicious Go Module Exposes GitHub Malware Lure Network Span... pnpm 11.10 Hardens Registry Authentication to Block Token Re... Coordinated npm and PyPI Campaign Typosquats Popular Secure ... Node.js Considers Public Workflow for Security Reports Amid ... PolinRider: North Korea-Linked Supply Chain Campaign Expands... Risky Biz Podcast: AI Agents Are Raising the Stakes for Soft... Chrome and Firefox Extensions Posing as Free VPNs Add Clipbo... Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages - S... Rolldown Pulls Rust React Compiler Integration After Binary ... Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and Git... Frontier AI Is Now Critical Infrastructure - Socket The Code You Didn't Write Is Still Yours to Defend - Socket GitHub Actions Checkout Now Blocks Risky pull_request_target... Introducing Repository Access Permissions and Custom Roles -... Socket MCP Adds Org Alerts, Threat Feed Review, and Package ... Socket Firewall Now Blocks Malicious VS Code and Open VSX Ex... 140+ Mastra npm Packages Compromised in Coordinated Supply C... npm Package Uses Prompt Injection and Token Flooding to Disr... Introducing Manifest Alerts - Socket GlassWASM: WebAssembly Malware Found in Trojanized Open VSX ... Socket for Linear Is Now Available - Socket US Government Forces Anthropic to Pull Claude Fable Days After Launch 152 Chrome Live Wallpaper Extensions Hid Ad Tracking and Faked Google Search Traffic Andrew Becherer Joins Socket as Chief Information Security Officer Socket Partners with Replit to Block Malicious Packages in AI-Powered Development npm Tooling Bug Incorrectly Marks One-Character Packages as Security Holders Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems pnpm 11.5 Adds Support for Recognizing npm Staged Publishes pnpm 11.5 Adds Support for Recognizing npm Staged Publishes Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages Famous Chollima Targets PHP Developers Through Compromised Packagist Package Famous Chollima Targets PHP Developers Through Compromised Packagist Package Rust Moves to Restrict LLM Use in Contributions After Months of Internal Debate Rust Moves to Restrict LLM Use in Contributions After Months of Internal Debate Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords Feross on TBPN: Socket's Series C and the State of Software Supply Chain Security Feross on TBPN: Socket's Series C and the State of Software Supply Chain Security OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io Laravel Lang Compromised with RCE Backdoor Across 700+ Versions Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects AI Has Taken Over Open Source npm Invalidates Granular Access Tokens as Mini Shai-Hulud Sweeps the Registry Coruna Respawned: Compromised art-template npm Package Leads to iOS Browser Exploit Kit Socket raises $60M Series C at $1B valuation led by Thrive Capital to secure AI-driven software development Socket Raises $60M Series C at a $1B Valuation to Help Enterprises Build Securely With AI Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor Active Supply Chain Attack Compromises @antv Packages on npm Popular node-ipc npm Package Infected with Credential Stealer TeamPCP and BreachForums Launch $1,000 Contest for Supply Chain Attacks Packagist Urges Immediate Composer Update After GitHub Actions Token Leak GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government Socket Named to Rising in Cyber 2026 List of Top Cybersecurity Startups TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud Supply-Chain Attack fsnotify Maintainer Dispute Sparks Supply Chain Concerns Socket Releases Free Certified Patches for Critical vm2 Sandbox Escape 5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer pnpm 11 Adds Supply Chain Protection Defaults for Minimum Release Age and Exotic Subdependencies PyPI Fixes High-Severity Access Control Issues Found in Security Audit Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Steal Secrets and Poison CI Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack lightning PyPI Package Compromised in Supply Chain Attack Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Variables SAP CAP npm Packages Hit by Supply Chain Attack Socket Has Acquired Secure Annex 73 Open VSX Sleeper Extensions Linked to GlassWorm Show New Malware Activations Introducing Reachability for PHP Introducing Data Exports Malicious Checkmarx Artifacts Found in Official KICS Docker Repository and Code Extensions Introducing Organization Notifications in Socket Introducing Reports: An Extensible Reporting Framework for Socket Data Socket for Jira Is Now Available Socket Named Top Sales Organization by RepVue NIST Officially Stops Enriching Most CVEs as Vulnerability Volume Skyrockets Socket Selected for OpenAI's Cybersecurity Grant Program Feross on the 10 Minutes or Less Podcast: Nobody Reads the Code 108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure Node.js Drops Bug Bounty Rewards After Funding Dries Up The Hidden Blast Radius of the Axios Compromise
Next.js moves to scheduled security releases - Socket
Sarah Gooding · 2026-07-16 · via Socket

Sidebar CTA Background

Secure your dependencies with us

Socket proactively blocks malicious open source packages in your code.

Install

Vercel announced that Next.js is adopting a formal security release program, replacing the ad-hoc patches the framework has shipped until now. Going forward, the team will publish advance notice of security releases on the Next.js blog roughly once a month. Each notice will state the expected release date and the highest anticipated severity of the fixes it covers.

The first scheduled release is slated for July 20. It will ship patch releases for Next.js 16.2 and 15.5 and addresses 4 high and 5 medium severity vulnerabilities. Vercel said it will publish CVE details once the patches are available. Urgent fixes and vulnerabilities under active exploitation will still ship more immediate patches outside the schedule.

Next.js has patched security issues on no set timeline. Vercel described those past releases as infrequent and disruptive, arriving with no advance warning. The new model gives teams a predictable window to plan upgrades. It also gives Vercel time to coordinate with hosting providers and platform partners on mitigations, such as firewall rules that can protect applications before they are patched.

Pre-announced, scheduled security releases are already standard at large open source projects. Django, Node.js, Kubernetes, and OpenSSL all publish security releases on a set cadence, with advance notice and an embargo on specifics until the patch lands. Next.js is adopting an established practice at its current scale rather than introducing a new one.

React2Shell preceded the program#

Vercel's post cites React2Shell as an example of its security process "working as intended." The vulnerability was one of the most serious to hit the React ecosystem in the past year.

React2Shell (CVE-2025-55182) was a pre-authentication remote code execution flaw in React Server Components, rated CVSS 10.0 and exploitable through a single crafted HTTP request. Google's Threat Intelligence Group observed widespread exploitation within days of the December 3 disclosure, across clusters ranging from opportunistic criminals to suspected espionage groups. Amazon saw China state-nexus groups, including Earth Lamia and Jackpot Panda, exploiting it within hours. Palo Alto's Cortex Xpanse counted more than 968,000 exposed React and Next.js instances. Default Next.js configurations were vulnerable with no code changes required from the developer.

The patch did not close the story. Researchers examining the fixes surfaced two more RSC vulnerabilities (CVE-2025-55183 and CVE-2025-55184), and the initial fix for one was incomplete, requiring a second patch under CVE-2025-67779. Vercel also ran a bounty on the React2Shell vulnerability class and WAF bypasses, and says the program paid out more than $1M to dozens of researchers.

Vercel has changed its security process twice since early 2025#

React2Shell was the second high-severity security event to hit Next.js in about a year, but it was not a Next.js bug. The flaw was in React Server Components, upstream of Next.js, and Next.js shipped it to users through the App Router.

The first event was a flaw in Next.js itself, an authorization bypass disclosed in March 2025 and rated CVSS 9.1. It let an attacker skip Next.js middleware, including authentication and authorization checks, by spoofing the internal x-middleware-subrequest header. In its postmortem, Vercel acknowledged that the initial report sat in a lower-priority triage queue, that triaging was delayed, and that it could have communicated better with infrastructure and auth partners. That incident produced the LTS policy that now governs which Next.js versions receive security backports.

Each event was followed by a change in how Vercel handles security releases. The scheduled program is the latest.

Self-hosted deployments carry the risk#

Advance notice helps platforms deploy mitigations before users upgrade. During React2Shell, Vercel worked with the React team to design WAF rules and delivered them to Vercel-hosted applications before the CVE was public. The same held for CVE-2025-29927, where Vercel-hosted deployments were protected automatically.

Self-hosted deployments are more exposed. The window between a scheduled disclosure and a completed upgrade is the period attackers target. Next.js also sits deep in the dependency trees of millions of applications, which means the teams that need to act on each release include those who are not running Next.js directly.

AI-assisted discovery is raising patch volume across the industry#

Vercel attributes the rising volume of vulnerability research to LLM-assisted discovery, and cites one data point: Mozilla's disclosure of 271 issues in a single Firefox release. Those fixes shipped in Firefox 150, all surfaced by an early version of Anthropic's Claude Mythos Preview. An earlier pass with Claude Opus 4.6 had found 22 in Firefox 148. This week, Microsoft shipped its largest Patch Tuesday on record, 570 fixes, and credited AI-aided discovery for the volume. Microsoft has now patched more than 1,300 vulnerabilities in the first seven months of 2026, close to double the same period last year.

Other vendors are also speeding up their security release schedules. Adobe is moving to twice-monthly security bulletins and cited AI for accelerating its cycle, and Cisco, Mozilla, and Oracle are also shipping updates more frequently. Vercel runs the same class of tooling against Next.js through deepsec, the agent-powered scanner it open sourced in May, along with its own researchers and an expanded bug bounty scope. The company anticipates the first scheduled security release will cover nine vulnerabilities on its own.