May 06, 2026criticalzero-day

alert ≥ mentions

…

Critical vm2 sandbox bug lets attackers execute code on hosts

A critical vulnerability in the popular Node.js sandboxing library vm2 allows escaping the sandbox and executing arbitrary code on the host system.

what's affectedCritical vm2 sandbox bug lets attackers execute code on hosts

mitigation statusMonitoring updates

first reportedMay 06, 2026

Grace Ops

triage-ready iocs + detections

fresh

IOC Workbench

typed indicators with fast copy and export actions

3 total

uhttps://www.bleepingcomputer.com/news/security/critical-vm2-sandbox-bug-lets-attackers-execute-code-on-hosts/

dNode.js

dwww.bleepingcomputer.com

3 indicators staged for handoff.

Rule Studio

starter detections generated from this IOC set

2 formats

!Draft output: validate and tune before production rollout.

sigmadraft

title: AHackaday IOC starter detection id: ahackaday-2026-05-06-critical-vm2-sandbox-bug-lets-attackers-execute-code-on-hosts-a7cd8af6 description: IOC starter rule for Critical vm2 sandbox bug lets attackers execute code on hosts status: experimental author: ahackaday logsource: product: network detection: selection_iocs: - "https://www.bleepingcomputer.com/news/security/critical-vm2-sandbox-bug-lets-attackers-execute-code-on-hosts/" - "Node.js" - "www.bleepingcomputer.com" condition: selection_iocs falsepositives: - unknown level: high

coverage

yaradraft

rule ahackaday_2026_05_06_critical_vm2_sandbox_bug_lets_attackers_execute_code_on_hosts_a7cd8af6 { meta: description = "IOC starter for Critical vm2 sandbox bug lets attackers execute code on hosts" author = "ahackaday" strings: $ioc1 = "https://www.bleepingcomputer.com/news/security/critical-vm2-sandbox-bug-lets-attackers-execute-code-on-hosts/" nocase $ioc2 = "Node.js" nocase $ioc3 = "www.bleepingcomputer.com" nocase condition: any of them }

coverage

Response Tracks

fast operational tracks from this incident snapshot

4 tracks

source-backed 1 refs

discussion

0 comments

Loading comments…

audit trail / provenance3

Provenance

Claims tie surfaced fields back to sources, models, or heuristics.

severity.upliftheuristicn/a
CVE or advisory identifiers detected — floor raised to at least high.
severity.upliftheuristicn/a
Active exploitation / in-the-wild language detected — floor raised to at least high.
severity.upliftheuristicn/a
Combined zero-day/exploit + ransomware/mass-impact signals → critical.

What changed

Append-only revisions when ingest or analysts evolve the record.

No revision rows stored yet.

Sources

https://www.bleepingcomputer.com/news/security/critical-vm2-sandbox-bug-lets-attackers-execute-code-on-hosts/

Curated May 06, 2026 by the ahackaday team./Sources verified./Brief grounded in 1 source.

back to feed

May 06, 2026criticalzero-day

alert ≥ mentions

…

Critical vm2 sandbox bug lets attackers execute code on hosts

A critical vulnerability in the popular Node.js sandboxing library vm2 allows escaping the sandbox and executing arbitrary code on the host system.

what's affectedCritical vm2 sandbox bug lets attackers execute code on hosts

mitigation statusMonitoring updates

first reportedMay 06, 2026

Grace Ops

triage-ready iocs + detections

fresh

IOC Workbench

typed indicators with fast copy and export actions

3 total

uhttps://www.bleepingcomputer.com/news/security/critical-vm2-sandbox-bug-lets-attackers-execute-code-on-hosts/

dNode.js

dwww.bleepingcomputer.com

3 indicators staged for handoff.

Rule Studio

starter detections generated from this IOC set

2 formats

!Draft output: validate and tune before production rollout.

sigmadraft

coverage

yaradraft

coverage

Response Tracks

fast operational tracks from this incident snapshot

4 tracks

source-backed 1 refs

discussion

0 comments

Loading comments…

audit trail / provenance3

Provenance

Claims tie surfaced fields back to sources, models, or heuristics.

severity.upliftheuristicn/a
CVE or advisory identifiers detected — floor raised to at least high.
severity.upliftheuristicn/a
Active exploitation / in-the-wild language detected — floor raised to at least high.
severity.upliftheuristicn/a
Combined zero-day/exploit + ransomware/mass-impact signals → critical.

What changed

Append-only revisions when ingest or analysts evolve the record.

No revision rows stored yet.

Sources

https://www.bleepingcomputer.com/news/security/critical-vm2-sandbox-bug-lets-attackers-execute-code-on-hosts/

Curated May 06, 2026 by the ahackaday team./Sources verified./Brief grounded in 1 source.

Critical vm2 sandbox bug lets attackers execute code on hosts

discussion

Provenance

What changed

Sources

social pulse

Critical vm2 sandbox bug lets attackers execute code on hosts

discussion

Provenance

What changed

Sources

social pulse