JS Pulse #4
Vercel got hacked. Someone compromised an employee's Google Workspace account and accessed internal systems. The company says no npm packages, no Next.js code, and no open-source projects were affected. But non-sensitive environment variables for some customers may have been exposed. If you deploy on Vercel, rotate your API keys. If you do not deploy on Vercel, pay attention anyway, because this is the company that powers a massive chunk of the React ecosystem.
Meanwhile, tech layoffs in 2026 just crossed 95,000. Meta is planning another 8,000 cuts for May. Amazon dropped 600 roles last week. And companies that are hiring JavaScript developers are quietly giving them a different job than what the posting described. I wrote about that this week and the response was intense.
Welcome back to JS Pulse. I am Zamir, founder of jsgurujobs.com. Here is what actually mattered in the JavaScript world over the last two weeks.
THE NUMBER: 95,878
That is how many tech workers have lost their jobs in 2026 so far. 249 layoff events across the industry. Up from 60,000 when I wrote JS Pulse #3 just two weeks ago. The pace is accelerating, not slowing. Meta alone is planning to cut 10% of its workforce (roughly 8,000 people) by May 20. Amazon cut 600 roles in South Florida last week. The pattern from Q1 continues: companies cut coordination and support roles, keep core engineering, and use AI as the explanation for both.
THE BIG STORY: Vercel Got Hacked
On April 19, Vercel disclosed that a hacker group called ShinyHunters gained unauthorized access through a compromised employee account linked to context.ai. The attackers claimed to be selling internal data. Vercel confirmed that non-sensitive environment variables for a limited subset of customers may have been exposed.
The good news: Vercel says no npm packages, no Next.js source, no Turbopack, and no open-source projects were compromised. The supply chain is intact. The bad news: Vercel powers millions of production deployments. Even "non-sensitive" environment variables can contain API keys, webhook URLs, and configuration data that you do not want in the wrong hands.
What to do right now: if you deploy on Vercel, rotate your environment variables and API keys. Enable MFA if you have not already. Check your deployment logs for any unexpected activity in the last week. This is not a drill. This is the second major JavaScript ecosystem security incident in a month after the Axios compromise I covered in JS Pulse #3.
THIS WEEK'S READ: Companies Are Hiring Developers and Giving Them AI Jobs Instead
A developer found a senior React role through my board. Three weeks in, he had written zero lines of React. His actual job was reviewing 300 lines of AI-generated code per task, fixing edge cases, and rewriting prompts when the output broke. He asked me if this was normal. I did not have a good answer.
I wrote about the bait-and-switch pattern I keep seeing: companies interview for coding skills but hand developers AI management jobs. The reaction was the strongest I have had to any article this year. Turns out a lot of people recognized themselves in the story.
5 JOBS WORTH APPLYING TO
1. Senior Fullstack Software Engineer — Vanta — USA — $195K–$229K
Security compliance platform. React + TypeScript + Node.js. One of the best-paying fullstack roles on the board right now.
Apply here
2. Senior Software Engineer (Frontend React) — Voxel51 — Worldwide — $180K–$220K
AI data platform used by the biggest ML teams in the world. React + TypeScript. Worldwide remote with Silicon Valley salary. Rare.
Apply here
3. Senior Full-Stack Engineer — Praktika — Worldwide — $65K–$118K
AI education platform with 2M+ monthly users. React + Node.js + TypeScript. Global remote, full product ownership.
Apply here
4. Senior Web Engineer — Canonical — Worldwide
The company behind Ubuntu. React + TypeScript. Globally distributed open-source team. If you want to work in open source and get paid for it, this is it.
Apply here
5. Senior Frontend Engineer (Next.js, AI-Native) — LumiMeds — US / Europe / LATAM — Remote
Telehealth startup building AI-powered clinical interfaces. Next.js + React + Tailwind. This posting explicitly requires AI-native workflow. The future of frontend job descriptions, for better or worse.
Apply here
Browse all 430+ JavaScript jobs
TOOL OF THE WEEK: React Email 6.0
React Email just shipped version 6.0 with an open-source email editor you can embed directly into your own app. If you have ever tried to build transactional emails with proper rendering across Gmail, Outlook, and Apple Mail, you know the pain. React Email solves it by letting you build emails the same way you build React components, with actual JSX, actual TypeScript, and actual previews that match what users see.
Version 6.0 adds a full visual editor, which means non-developers on your team can edit email templates without touching code. The whole thing is open source, fully TypeScript, and launched on Product Hunt this month.
ALSO HAPPENING
Kimi K2.6 dropped as open-source coding AI. Moonshot AI released an open-source model that handles 4,000+ tool calls over 12+ hours of autonomous coding, including JavaScript frontend tasks (WebGL, Three.js, Framer Motion). It scored 58.6 on SWE-Bench Pro, the highest for an open-source model. The AI-writes-your-code era is accelerating faster than the AI-reviews-your-code era that I wrote about this week.
Next.js v16.2.4 shipped. Backport release with Turbopack improvements, Safari cache fixes, Windows ARM64 Google Fonts support, and better error messages. No breaking changes, just stability. If you are on 16.x, update.
Claude built a working Chrome V8 exploit. A security researcher used Claude Opus to construct a full exploit chain for the V8 JavaScript engine that powers Chrome, Electron, Discord, and Slack. This is not a coding assistant writing a todo app. This is an AI building a zero-day exploit for the most widely used JavaScript runtime on earth. The implications for JavaScript security are significant.
WHAT I PUBLISHED THIS WEEK
This was a big writing week. Three new articles since the last Pulse, all based on patterns I am seeing on my board:
The 5 Types of Remote JavaScript Job Restrictions I Track on My Job Board — 23 remote listings, only 1 truly worldwide. I classified the five restriction types that filter out most developers before a human ever reads their resume.
Read it here
Why Companies Post JavaScript Jobs They Never Fill — Ghost jobs, fake listings, and the 20-30% of postings on any platform that do not have a real role behind them. How I spot them and how you can too.
Read it here
Companies Are Hiring JavaScript Developers and Giving Them AI Management Jobs Instead — The article I mentioned above. The bait-and-switch pattern, why it is happening, and the one question that tells you what the job really is before you accept.
Read it here
HIRING?
If your company is looking for JavaScript developers, I can put your job in front of 4,200+ newsletter subscribers with a 54% open rate, plus 9,000 LinkedIn followers and a growing audience on X and Telegram.
Plans start free. See all options
That is it for JS Pulse #4. Next issue: how the Vercel breach aftermath develops, whether Meta's May layoffs actually hit engineering, and what I am learning from the developers who message me about their job search experiences.
— Zamir
Founder, jsgurujobs.com
P.S. If this was useful, forward it to one developer friend. If it was not, hit reply and tell me what to change. I read every response.