Security News

Back in 2022, about a code execution hole in the widely-used JavaScript sandbox system vm2. Your web browser is a good example of a sandbox, which is how it keeps control over JavaScript programs that it downloads and runs from remote websites.

Proof-of-concept exploit code has been released for a recently disclosed critical vulnerability in the popular VM2 library, a JavaScript sandbox that is used by multiple software to run code securely in a virtualized environment. The researchers who found that the VM2 library handled improperly the host objects passed to the 'Error.

They existed simply as placeholders for README files that included the final links that the crooks wanted people to click on. These links typically including referral codes that would net the scammers a modest reward, even if the person clicking through was doing so simply to see what on earth was going on.

Researchers with Google-owned security shop Mandiant started seeing significant changes to the Gootloader malware package - also known as Gootkit - in November 2022, including using multiple variations of FONELAUNCH, a.NET-based loader, as well as some newly developed payloads and obfuscation techniques. A Gootloader infection starts via a search engine optimization poisoning attack, with a victim who is searching online for business-related documents, such as templates, agreements, or contracts, being lured into going to a website compromised by the criminal gang.

An active malware campaign is targeting the Python Package Index and npm repositories for Python and JavaScript with typosquatted and fake modules that deploy a ransomware strain, marking the latest security issue to affect software supply chains. According to Phylum, the rogue packages embed source code that retrieves Golang-based ransomware binary from a remote server depending on the victim's operating system and microarchitecture.

A new Windows zero-day allows threat actors to use malicious stand-alone JavaScript files to bypass Mark-of-the-Web security warnings. Windows includes a security feature called Mark-of-the-Web that flags a file as having been downloaded from the Internet and should be treated with caution as it could be malicious.

The downloaded malicious files contained JavaScript that initiated an intricate infection with the file-encrypting malware. A report from HP's threat intelligence team notes that Magniber ransomware operators demanded payment of up to $2,500 for home users to receive a decryption tool and recover their files.

A now-patched security flaw in the vm2 JavaScript sandbox module could be abused by a remote adversary to break out of security barriers and perform arbitrary operations on the underlying machine. "A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," GitHub said in an advisory published on September 28, 2022.

JavaScript is widely used in backend and frontend applications that rely on trust and good user experience, including e-commerce platforms, and consumer-apps. Fuzz testing helps secure these applications against bugs and vulnerabilities that cause downtime and other security issues, such as crashes, DoS and uncaught exceptions.

That's where you aim to review source code for likely coding blunders and security holes without actually running it at all. If someone has copied-and-pasted that buggy code into other software components in your company repository, you might be able to find them with a text search, assuming that the overall structure of the code was retained, and that comments and variable names weren't changed too much.