THREATOPS
THREAT OPSThreat News › Node.js Trust Falls: Dangerous Module Resolution on Windows

Node.js Trust Falls: Dangerous Module Resolution on Windows

lowzdi_blogPublished 2026-04-08

<p class="">In September of 2024, ZDI received a vulnerability submission from an anonymous researcher affecting <a href="https://docs.npmjs.com/cli/v11">npm CLI</a> that revealed a fundamental design issue in <a href="https://nodejs.org/en">Node.js</a>. This blog details how it continues to expose applications to local privilege escalation (LPE) attacks on Windows systems, including the Discord d

MITRE ATT&CK techniques

Indicators of compromise

Original source: https://www.thezdi.com/blog/2026/4/8/nodejs-trust-falls-dangerous-module-resolution-on-windows