Critical vm2 Node.js Sandbox Escape Vulnerability Allows Remote Code Execution
A critical sandbox escape vulnerability (CVE-2026-22709) has been disclosed in vm2, the popular Node.js library used to run untrusted JavaScript code in sandboxed environments. The flaw carries a CVSS score of 9.8 and allows attackers to bypass Promise callback sanitization and execute arbitrary code outside sandbox boundaries. The vulnerability exists because async functions return globalPromise objects where the .then() and .catch() callbacks are not properly sanitized, enabling attackers to intercept Function.prototype.call and access host constructors. Despite being deprecated with warnings that it “contains critical security issues and should not be used for production,” vm2 still has over one million weekly downloads. Users should upgrade to version 3.10.2 immediately, which replaces Function.prototype.call() with Reflect.apply() in Promise handlers.
Data Privacy Day 2026: Taking Control of Personal Data
January 28 marks Data Privacy Day 2026, an annual event aimed at raising awareness about online privacy and data protection best practices. Part of Data Privacy Week running January 26-30, the initiative encourages individuals and organizations to better understand how personal information is collected, shared, and used. The National Cybersecurity Alliance’s theme this year is “Take Control of Your Data,” featuring sessions on AI data privacy, children’s online privacy, dynamic pricing, and data deletion rights. Privacy advocates recommend subscribing to VPN services, using password managers and secure cloud storage, understanding risks from sophisticated hackers and data-collecting corporations, and considering alternatives to big tech services like Proton’s privacy-focused ecosystem.
Microsoft Investigates Windows 11 Boot Failures After January Security Updates
Microsoft is investigating reports that January 2026 security updates are causing some Windows 11 devices to fail to boot, displaying “UNMOUNTABLE_BOOT_VOLUME” stop errors. The issue affects a “limited number” of physical Windows 11 devices running versions 24H2 and 25H2, with affected systems showing a black screen and unable to complete startup. Microsoft says no virtual machines or servers appear to be affected. This boot failure adds to an already troubled January for Microsoft updates, which has also seen fallout from a Secure Launch bug preventing clean shutdowns, Windows app credential failures breaking sign-ins, and an Outlook issue causing freezes when saving files to cloud storage. Affected users may need manual recovery steps to restore system functionality.
Grubhub Confirms Data Breach, Faces Extortion Demands
Food delivery platform Grubhub has confirmed a data breach after hackers accessed its systems and downloaded data. Sources indicate the company is now facing extortion demands. Grubhub stated it “quickly investigated, stopped the activity, and is taking steps to further increase security posture,” noting that sensitive information such as financial data or order history was not affected. However, the company declined to specify when the breach occurred, whether customer data was involved, or confirm the extortion situation. Grubhub is working with a third-party cybersecurity firm and has notified law enforcement. Last month, Grubhub was also linked to a wave of scam emails sent from its subdomain promoting cryptocurrency fraud, though it’s unclear if the incidents are connected.
CISA Adds Actively Exploited VMware vCenter Flaw to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical VMware vCenter Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. The flaw, tracked as CVE-2024-37079 with a CVSS score of 9.8, stems from a heap overflow in the DCE/RPC protocol implementation that allows remote code execution by sending specially crafted network packets. Originally patched by Broadcom in June 2024, the vulnerability was discovered by QiAnXin LegendSec researchers who presented their findings at Black Hat Asia 2025, revealing it was part of a set of four vulnerabilities that could be chained to achieve unauthorized remote root access to ESXi systems. Federal agencies have been ordered to patch by February 13, 2026.
