RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: supply-chain-precursor (2 articles)Clear
vulnerability
CVE-2026-43997CVE-2026-44005CVE-2026-44006CVE-2026-26956CVE-2026-24118CVE-2026-24120CVE-2026-24781CVE-2026-26332CVE-2026-43999CVE-2026-44007CVE-2026-44008
2026-05-06

vm2, the Node.js sandbox library used by 1.3 million projects to run untrusted code, just got hit with a dozen new bugs that let attackers escape the sandbox

vm2 maintainers disclosed a fresh batch of a dozen sandbox-escape vulnerabilities yesterday, including CVE-2026-43997, CVE-2026-44005, and CVE-2026-44006 - all CVSS 10.0. The library is used by 1.3 million weekly downloads worth of Node.js projects to run untrusted JavaScript inside a supposedly safe sandbox - online code runners, chatbots, automation tools, and SaaS platforms with user scripts. Each bug breaks the sandbox in a different way: prototype pollution, sandbox escape via inspect functions, allowlist bypass to reach child_process. vm2 was deprecated in 2023 over similar issues, then resurrected last October. Over 20 documented sandbox-escape bugs - the maintainer himself recommends Docker isolation instead.

vm2nodejssandbox-escapeprototype-pollutionjavascriptsupply-chain-precursorcvss-10isolated-vmdocker-isolation
Check
Search package.json and yarn.lock files across your codebase for vm2 dependencies. Check version - anything below 3.11.2 needs updating. Audit which features process attacker-controlled input through vm2.
Affected
vm2 versions 3.10.0 through 3.11.1. Patches landed in 3.11.0, 3.11.1, and 3.11.2. CVE-2026-43997, 44005, 44006 are CVSS 10.0. Acute risk: applications running user-supplied JavaScript through vm2 - chatbots, online code editors, automation platforms, and SaaS apps with custom-script features.
Fix
Upgrade vm2 to 3.11.2. For applications running attacker-controlled JavaScript, migrate off vm2 entirely - the maintainer recommends isolated-vm or Docker with logical separation. Don't rely on vm2 alone: combine with network isolation, filesystem restrictions, and ephemeral containers. Review CI/CD for transitive vm2 dependencies via 'npm ls vm2' - 885 packages directly depend on it.
threat
2026-05-05

New Linux malware called 'Quasar Linux' targets developer laptops to steal credentials for npm, GitHub, AWS, and Docker - barely detected by antivirus

Trend Micro disclosed Quasar Linux (QLNX), a previously undocumented Linux remote access trojan designed for developer workstations and DevOps environments. The malware harvests credentials for npm, PyPI, GitHub, AWS, Docker, and Kubernetes - then uses them to publish trojanized packages to public registries. QLNX runs entirely fileless and in-memory, dynamically compiling its rootkit and PAM backdoor on the target host using gcc, then loading them via /etc/ld.so.preload for system-wide interception. Capabilities include a 58-command RAT, dual-layer rootkit, keylogging, SSH lateral movement, and peer-to-peer mesh networking. Only four security tools detect the binary as malicious.

quasar-linuxqlnxtrend-microlinux-ratdeveloper-targetingsupply-chain-precursorebpfrootkitpam-backdoornpmpypigithubawsdockerkubernetesfileless
Check
Hunt Linux developer machines and CI runners for /etc/ld.so.preload entries you didn't put there, /tmp/.X*-lock files outside legitimate X server use, and gcc invocations on hosts that don't normally compile code.
Affected
Linux developer workstations and DevOps environments with credential access to npm, PyPI, GitHub, AWS, Docker, or Kubernetes. Acute risk for organizations with developers running root-capable Linux desktops, particularly those whose CI/CD pipelines pull dependencies from public registries. Compromised credentials enable supply-chain attacks against the organization's own published packages.
Fix
Deploy Linux EDR with eBPF visibility on every developer machine and CI runner - QLNX hides from userland tools but eBPF-aware sensors detect the kernel-level rootkit. Restrict /etc/ld.so.preload modifications via auditd alerts. For high-risk developers: use ephemeral build environments (containers, VMs) that don't carry persistent credentials. Trend Micro published IoCs.