Javascript on HackingPassion.com : root@HackingPassion.com-[~]https://hackingpassion.com/tags/javascript/Recent content in Javascript on HackingPassion.com : root@HackingPassion.com-[~]HugoenThu, 07 May 2026 14:42:24 +0200vm2 Node.js Sandbox Escape 12 Critical Vulnerabilities Two Without a Patchhttps://hackingpassion.com/vm2-sandbox-escape/Thu, 07 May 2026 14:42:24 +0200https://hackingpassion.com/vm2-sandbox-escape/<p>Twelve critical vulnerabilities were just published for <strong>vm2</strong>, a Node.js security library that sits inside millions of applications. Three of them score a perfect 10 out of 10. The creator shut the project down in 2023 because it was too broken to fix, restarted it anyway in October 2025, and here we are.</p> <p>The library is called <strong>vm2</strong>. When a platform lets users run their own code, that code needs somewhere to run where it cannot touch anything it should not touch. Not the files on the server, not the ability to run system commands, not connections to other services. That sealed-off space where code runs but cannot escape is called a <strong>sandbox</strong>. <strong>vm2</strong> was the tool <strong>Node.js</strong> developers used to build one.</p>Axios npm Supply Chain Attack: How a Fake Meeting Compromised 100 Million Downloadshttps://hackingpassion.com/axios-npm-supply-chain-attack/Sat, 04 Apr 2026 13:50:24 +0200https://hackingpassion.com/axios-npm-supply-chain-attack/<p>Axios, the JavaScript library with over <strong>100 million weekly downloads</strong>, was compromised on March 31st. For roughly three hours, every fresh install of those two versions silently dropped a <strong>remote access trojan</strong> on the machine that ran it. Windows, macOS, and Linux, all targeted. The installation completed normally, nothing flagged the change, and the backdoor was already running by the time the command finished. 😏</p> <p>Axios is a JavaScript HTTP client that developers use to send web requests from their applications. It ships inside frontend frameworks, backend services, mobile apps, and <strong>CI/CD pipelines</strong>, and if a company runs Node.js anywhere in their stack, Axios is almost certainly somewhere in that dependency tree. That is what made this attack so significant.</p>Linux Inside a PDFhttps://hackingpassion.com/linux-inside-pdf/Mon, 26 Jan 2026 10:30:00 +0100https://hackingpassion.com/linux-inside-pdf/<p>Linux running inside a PDF. An actual working operating system with a terminal where you can type commands. Open a PDF in Chrome. Wait 30 seconds. You now have a working Linux terminal. No installation, no software, just a 6MB file that boots an entire operating system.</p> <p>A high school student named Allen built this, the same kid who previously crammed Doom into a PDF. Before that he made tools to bypass school software restrictions and exploits to boot Linux on locked-down Chromebooks.</p>