doc: add 2025-09-11 meeting notes

meetings/2025-09-11.md

@@ -0,0 +1,57 @@
+# Node.js  Security team Meeting 2025-09-11
+
+## Links
+
+* **Recording**:  https://www.youtube.com/watch?v=2_exLrhF5YM&ab_channel=node.js
+* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1518
+* **Minutes Google Doc**: https://docs.google.com/document/d/1zPUOHww6WD9VtLoTeoMaPuoWeHi6_6uujHcVNG1SeF0/edit?tab=t.0
+
+## Present
+
+* Security wg team: @nodejs/security-wg
+
+* Ulises Gascón: @UlisesGascon
+* Rafael Gonzaga: @RafaelGSS
+
+## Agenda
+
+## Announcements
+* A targeted campaign has emerged against npm package maintainers, where attackers are leveraging stolen authentication tokens to impersonate maintainers and publish malicious package versions: https://jfrog.com/blog/new-compromised-packages-in-largest-npm-attack-in-history/
+
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+- [X] OpenSSF Scorecard Monitor Review
+  - No Action needed from our team. Last PR can be merged: https://github.com/nodejs/security-wg/pull/1520 
+
+### nodejs/node
+
+* src: add WDAC integration (Windows) #54364
+  * No updates
+
+* Option to enable inspection mode along with permission model #48534
+  * Rafael opened a PR to add –allow-inspector https://github.com/nodejs/node/pull/59711
+  * Seems ready to go
+
+### nodejs/security-wg
+
+* Create a VEX file for Node.js #1517
+  * Leaving that open for further discussion with Marco
+
+* Update on CVEs for EOL Release Lines – MITRE Removal & Next Steps #1443
+  * Closing as completed
+
+* Node.js maintainers: Threat Model #1333
+  * Closing as completed
+
+## Q&A, Other
+
+https://github.com/nodejs/node/pull/59806
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.
+