A malicious tarball can now quietly escape the bounds of a safe extraction and overwrite files on the host: a newly tracked vulnerability in the widely used Node.js tar library (node‑tar) — identified as CVE‑2026‑29786 — allows a specially crafted hardlink entry whose linkpath uses a...
