JavaScript/TypeScript Security Playbook

Executive Summary

JavaScript and TypeScript dominate the modern enterprise stack. They run the web front-ends users touch, the Node.js and Deno back-ends that serve them, and a rapidly growing share of serverless functions in the cloud. Their adoption curve is exponential, but their security maturity is lagging. The npm ecosystem, with its sprawling dependency chains, creates an inherently adversarial supply chain. Dynamic execution and prototype inheritance expand the runtime attack surface. Static scanning alone cannot answer the key question: what is actually exploitable in production? Security teams need runtime intelligence to see what attackers see.

Threat Model

Every enterprise JavaScript/TypeScript codebase pulls in hundreds, sometimes thousands, of dependencies. Each dependency, including its transitive packages, is potential execution of untrusted code. Attackers exploit the weakest links: an abandoned npm package taken over by a malicious maintainer, a JSON Web Token configured with alg=none, or a Babel plugin embedded deep in the build pipeline.

The principle is simple. Static analysis tells you what might be vulnerable. Runtime intelligence shows what matters, because it proves which vulnerabilities are reachable in production and exploitable by attackers.

Supply Chain and Dependencies

The npm ecosystem is the largest attack surface in modern software. Installing an npm package is equivalent to running unvetted code. Typosquatting makes it worse: developers frequently mistype express as expres, unknowingly installing malware that exfiltrates environment variables. Abandoned packages like event-stream have been hijacked and turned into crypto-stealers.

• First principle: treat every install as executing untrusted code.
  
  
• Defenses: pin versions, mirror packages internally, and validate which dependency functions actually execute at runtime.
  

Prototype Pollution

Prototype pollution exploits JavaScript’s inheritance model. Attackers use unsafe merges (Object.assign, lodash.merge) to inject new properties into global object prototypes. Lodash CVE-2019-10744 is a case in point: polluted objects in Node.js web apps allowed crafted input to escalate privileges.

• First principle: any merge of untrusted input is an exploit vector.
  
  
• Defenses: replace unsafe merge utilities with hardened libraries, and monitor object graphs in production for anomalous properties.
  

Runtime Injection

Dynamic execution (eval, dynamic require, insecure templating) is functionally equivalent to remote code execution. The asynchronous event loop makes exploitation difficult to detect in staging but trivial in production. One example: server-side template injection in Handlebars enabled attackers to execute arbitrary commands by slipping payloads into unvalidated templates.

• First principle: dynamic execution must be treated as RCE until proven otherwise.
  
  
• Defenses: ban eval, track untrusted inputs flowing into execution sinks, and instrument event loops for anomalies.
  

Authentication and Tokens

Misconfigured JWTs have repeatedly compromised enterprise systems. The classic case is accepting tokens with alg=none, allowing attackers to mint valid tokens without a key. Others involve failing to enforce expiration, leaving long-lived credentials valid indefinitely. In 2020, multiple Node.js back-ends were caught accepting unsigned JWTs, effectively granting attackers persistent sessions.

• First principle: every token is long-lived until proven short-lived.
  
  
• Defenses: enforce algorithm allowlists, rotate signing keys, and monitor token acceptance in runtime.
  

Build Toolchains

JavaScript build systems are not passive—they are execution environments. Plugins in Webpack, Babel, and Rollup execute arbitrary code at build time. In 2021, a malicious Babel plugin was found exfiltrating AWS credentials from developer machines.

• First principle: builds are privileged execution environments.
  
  
• Defenses: lock plugin versions, audit all updates, and instrument CI/CD pipelines to detect unexpected network calls.
  

Serverless and Cloud Runtimes

Node.js and TypeScript dominate serverless. In AWS Lambda, attackers have exploited access to the cloud metadata service (169.254.169.254) to steal IAM credentials and escalate privileges. Serverless misconfigurations often amplify risk across multi-tenant environments.

• First principle: every function is internet-facing unless proven otherwise.
  
  
• Defenses: block metadata endpoints, apply least privilege IAM roles, and monitor cold starts for injected code.
  

Detection and Response

Defending modern JS/TS systems requires runtime observability. The signals that matter are unexpected package loads, prototype chain anomalies, and outbound traffic initiated from Node.js processes. Static scanners may report 10,000 CVEs, but runtime intelligence will show which 50 are reachable and exploitable. When npm supply chain compromises occur, the safe assumption is total compromise. Response requires rebuilding from clean mirrors, removing persistence in build plugins, and monitoring runtime for attacker-controlled flows.

Static vs Runtime Approaches

Static tools operate at the level of CVSS scores. Runtime intelligence operates at the level of attacker reachability. For example, static scanning flags Lodash as vulnerable, but runtime analysis proves whether polluted objects are actually being used in production. Static tools may miss JWT misconfigurations or plugin abuses, while runtime observability reveals which tokens are being improperly accepted and which plugins are behaving like backdoors.

MITRE ATT&CK Mapping

Conclusion

JavaScript and TypeScript adoption will only accelerate. The npm ecosystem guarantees exposure to low and medium CVEs, while the runtime model ensures those CVEs can be chained into real exploits. Static analysis tells you what might matter; runtime intelligence shows you what does. For product security teams, the durable strategy is to treat npm as adversarial, validate continuously in runtime, and align defenses with the MITRE ATT&CK chain. Only then can defenders keep pace with the speed of modern enterprise JavaScript and TypeScript adoption.

References

• Holmes, A. (2018, November 26). Hackers backdoor popular JavaScript library to steal bitcoins. BleepingComputer. https://www.bleepingcomputer.com/news/security/hackers-backdoor-popular-javascript-library-to-steal-bitcoins/
• npm, Inc. (2018). event-stream incident report. npm Blog. https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
• OWASP. (2021). JavaScript prototype pollution. OWASP Foundation. https://owasp.org/www-community/vulnerabilities/Prototype_Pollution
• MITRE ATT&CK®. (2024). ATT&CK techniques matrix. MITRE Corporation. https://attack.mitre.org/
• SecurityWeek. (2021, June 10). Malicious npm packages found stealing credentials. SecurityWeek. https://www.securityweek.com/malicious-npm-packages-found-stealing-credentials
• Veracode. (2020). Common JWT vulnerabilities and how to prevent them. Veracode Blog. https://www.veracode.com/blog/secure-development/common-jwt-vulnerabilities-and-how-prevent-them
• Zorz, Z. (2021, May 12). Malicious Babel plugin exfiltrates AWS credentials. Help Net Security. https://www.helpnetsecurity.com/2021/05/12/malicious-babel-plugin