#110Dec 5, 2025

Critical RSC CVE, Auth CN, Next.js interview malware, fallback rewrites, faster K8s, and Bun’s acquisition

Together with

CVE-2025-55182: Critical Security Vulnerability in React Server Components

A major remote code execution bug was found in how React handles payloads for React Server Components. The issue is rated CVSS 10.0, so the React team recommends upgrading right away to the patched versions released this week. Even apps that don't use server functions directly may still be exposed, so check your Next.js projects. Vercel has released specific patched versions for Next.js 15.0.5, 15.1.9, and 16.0.7 to fix this.

Reverse Engineering the ‘Next.js Job Interview’ Malware

This story is wild. It's about how a fake interview led to a multi‑stage malware attack hidden inside a “clean” Next.js repo. The attack was hidden inside next.config.js. It loaded a fake jquery.min.js file, which then fetched more code which installed a Python RAT that stole LastPass data, crypto wallets, browser info, SSH keys, and more

📙 Articles, Tutorials

Serve the Same Route from App Router and Pages Router

I wrote a post about the routing problem I faced while redesigning the Next.js Weekly issue page and how I solved it by using fallback rewrites in next.config.mjs

Next.js Developers Just Lost Critical Bundle Size Visibility

In Next.js 16, the page bundle size report is gone. This post explains why Vercel removed it, what that means for developers, and how to check app performance in other ways.

93% Faster Next.js in (your) Kubernetes

Matteo Collina and the Platformatic team show how Watt, their open source Node.js app server, makes running Next.js in Kubernetes much faster, achieving 93% lower latency and 99.8% reliability under load

► I tested the NEW Next.js Analyzer

Next.js 16 introduces a new Turbopack-based bundle analyzer that's currently in experimental release. In this video, Toby Mey tests how it helps spot large parts of the client bundle and trace imports that add unnecessary weight.

📦 Projects / Packages / Tools

Anzen

Create clean, type-safe route handlers, pages, and layouts using factory-functions with authorization hooks, and built-in error handling. Comes with standard schema validation, supports segments, search params, body, and form data validation

Civic Auth + Next.js sample app

A complete, ready-to-run Next.js project showing how to add secure auth with Civic Auth in minutes. Includes signup/login flows, wallet integration, and best practices. [Sponsor]

Better Auth 1.4

Adds nice upgrades like stateless authentication, faster database queries, and SCIM support for easy user management. It also improves OAuth flows, adds JWT key rotation, and better error handling

Auth CN

A minimalist component library that brings production-ready authentication UIs built for Better Auth and styled with shadcn/ui. You can install components via the shadcn registry

plok.sh

Turn any repo's /blog folder into a live, themed blog with no setup or deployment. Just push markdown and publish instantly. Built with Next.js 15, supports themes, fonts, frontmatter, and syntax highlighting out of the box

⚡️ Sponsor

Immutable by Design: The Deep Tech Behind Tigris Bucket Forking

Think “instant DB clones” but for object storage. Sounds impossible — until you see the architecture. 👉 Peek under the hood.

🌈 Related

Bun is joining Anthropic

Big news! Bun has been acquired by Anthropic. But don't worry, nothing major is changing. The same team will keep building Bun, it remains open-source under MIT, and development stays public on GitHub. Anthropic plans to use Bun as the backbone for AI tools like Claude Code and the Claude Agent SDK.

All submissions are appreciated.

👋 See you next week!