Dev weekly digest: Supply chains under siege, animations unchained, and Cloudflare takes on WordPress

This week brought a jarring mix of security urgency and genuine technical progress. North Korean hackers compromised Axios and are actively hunting more npm maintainers, while React Native 0.85 shipped a long-awaited animation overhaul, Cloudflare launched a TypeScript-powered WordPress successor, and Google proposed a new intermediate representation that could reshape JavaScript tooling for years to come.

1. Axios supply chain attack postmortem reveals North Korean state actor

The Axios team published a detailed postmortem of the March 31 compromise where malicious versions (1.14.1 and 0.30.4) injected a remote access trojan via a fake plain-crypto-js dependency. The attack, attributed to North Korean group UNC1069 (aka Sapphire Sleet), used weeks of social engineering to compromise a maintainer's machine. The malicious versions were live for about 3 hours, but with 100M+ weekly downloads, the blast radius is significant. Check your lockfiles: if you didn't run a fresh install between 00:21 and 03:15 UTC on March 31, you're fine. Source: Post Mortem: axios npm supply chain compromise

2. Social engineering campaign targets high-impact Node.js maintainers

The Axios attack wasn't isolated. Socket.dev reports that the same campaign is actively targeting maintainers of foundational npm packages, including Jordan Harband (hundreds of ECMAScript polyfills), John-David Dalton (Lodash, 137M weekly downloads), and Matteo Collina (Node.js TSC Chair). The attack pattern: build rapport over weeks, schedule a video call, fake an audio error, and trick the target into installing a "fix" that deploys a RAT. Neither 2FA nor OIDC trusted publishing defends against this vector since the attacker gains full machine access. Source: Attackers Are Hunting High-Impact Node.js Maintainers

3. React Native 0.85 ships shared animation backend

React Native 0.85 landed on April 7 with the headlining Shared Animation Backend, built with Software Mansion, that unifies the internal engine powering both Animated and Reanimated. The biggest practical win: layout props like width, height, and flex can now animate via the native driver, eliminating a long-standing source of janky JS-thread frame drops. The release also adds simultaneous CDP connections (debug with DevTools, VS Code, and AI agents at once), Metro TLS support for testing secure APIs locally, and extracts the Jest preset to @react-native/jest-preset. Breaking changes include dropping EOL Node versions and removing StyleSheet.absoluteFillObject. Source: React Native 0.85

4. Cloudflare launches EmDash, an open-source TypeScript CMS challenging WordPress

Cloudflare released EmDash, a serverless CMS built on Astro that it calls the "spiritual successor to WordPress." The key differentiator is sandboxed plugins: each runs in its own V8 isolate with declared permissions, addressing the fact that 96% of WordPress vulnerabilities originate in plugins. It also ships with a built-in MCP server and AI Agent Skills for autonomous site management. WordPress co-founder Matt Mullenweg responded that it's designed to sell Cloudflare services (the sandboxing only fully works on their runtime), but called the AI Skills approach "brilliant." It's a v0.1.0 developer preview with essentially zero ecosystem, so don't migrate your production blog yet. Source: Introducing EmDash — the spiritual successor to WordPress

5. Google proposes JSIR: a high-level intermediate representation for JavaScript

Google's compilers team published an RFC proposing JSIR, an MLIR-based intermediate representation for JavaScript, and open-sourced the tooling they've already been using internally. While an AST describes what code looks like, an IR describes what it does — enabling more powerful analysis, deobfuscation, and source-to-source transformation. Google is already using JSIR to decompile Hermes bytecode back to JavaScript. Most developers won't feel the impact immediately, but this is foundational infrastructure that could lead to significantly better linters, bundlers, and refactoring tools. Source: RFC: JSIR — A High-Level IR for JavaScript

6. HTML video and audio lazy-loading is now a web standard

Lazy-loading for <video> and <audio> elements has been merged into the HTML specification, following endorsements from code owners at Mozilla, Apple, and Chromium. It works the same way as image lazy-loading: add loading="lazy" and the browser defers asset loading and autoplay until the element enters the viewport. Chrome 147 shipped with the feature behind a flag on April 7; it will be enabled by default in Chrome 148 (May 5), with Firefox and WebKit implementations close behind. If you serve media-heavy pages, this is a free performance win with zero JavaScript. Source: How to Use Standard HTML Video and Audio Lazy-Loading

7. Railway moves 200+ routes off Next.js to Vite + TanStack Router

Railway published a detailed account of migrating their entire production frontend from Next.js to Vite + TanStack Router in just two PRs with zero downtime. Build times dropped from 10+ minutes to under 2. Their rationale: Railway's dashboard is overwhelmingly client-side (real-time canvas, WebSockets everywhere), and Next.js's server-centric model added complexity without benefits. The post is a practical reference for teams evaluating whether their app actually needs an SSR-first framework, or whether a client-first stack with edge caching is a better fit. Source: Moving Railway's Frontend Off Next.js

8. Material UI 9.0 and Mantine 9.0 both ship major releases

Two of React's most popular component libraries released major versions in the same week. Material UI 9.0 focuses on accessibility defaults, improved keyboard navigation (Roving TabIndex for Stepper, Tabs, MenuList), a new Menubar component, and sx prop performance improvements. Mantine 9.0 adds entirely new components including Scheduling, FloatingWindow, OverflowList, and Marquee. If you're on either library, review the migration guides — MUI also updated its licensing model, moving Pro and Premium to application-based pricing. Source: Material UI v9.0 | Mantine 9.0

9. Turborepo 2.9 delivers up to 96% faster time-to-first-task

Turborepo 2.9 dramatically reduces overhead in monorepos, with Time to First Task (the gap between invoking turbo run and the first script actually starting) improving by 81–96% depending on repo size. The release also stabilizes turbo query for querying your monorepo with GraphQL, removes the blocker on circular package dependencies, and adds OpenTelemetry support for sending task metrics to observability backends. The team closed 141 issues, reducing total open issues by 70%. Upgrade with npx @turbo/codemod migrate. Source: Turborepo 2.9

10. Node.js pauses security bug bounty program due to funding loss

The Node.js project announced it is discontinuing security bug bounties after the Internet Bug Bounty program — which funded payouts since 2016 — went on hiatus while reassessing its role in an AI-assisted security landscape. Vulnerability reports can still be submitted, but with no monetary reward. Combined with the ongoing social engineering attacks targeting maintainers, this raises serious questions about the sustainability of open-source security infrastructure. In related news, tsdown from VoidZero can now generate standalone executables using Node's SEA feature, and Node 25.9.0 shipped with --max-heap-size and experimental iterable streams. Source: Discontinuing Security Bug Bounties