Research
/Security News
Fake imToken Chrome Extension Steals Seed Phrases via Phishing Redirects
Mixed-script homoglyphs and a lookalike domain mimic imToken’s import flow to capture mnemonics and private keys.
By Kirill Boychenko - Mar 05, 2026
You're Invited:Meet the Socket Team at RSAC and BSidesSF 2026, March 23–26.RSVP →
js-vm
Installation
Install this package using NPM:
npm install js-vm
What is js-vm?
js-vm is highly secure, fully compatible ECMAScript 5 implementation of the Node.js VM API. It may be used as a vm shim in webpack.
js-vm is designed with high demands in efficiency and security.
- Code is transpiled only on the basis on native
RegExptokenization and no AST is created, increasing speed by a factor of some 10K. - Security measures are designed to be widely immune to client-specific or future extensions of the grammar of the script language (ECMAScript). The package relies only on standardized ES5 features, leading to a best possible predictability and assessibility of security aspects.
What makes it fast?
js-vm executes scripts subsequently in the same global scope. No
iframe or Web Worker is instantiated at runtime and execution is
carried out purely by means of eval execution of RegExp-transpiled
code.
To achieve this, from the perspective of an executed script, built-in
properties of the global object are
frozen. Any modifications on properties or sub-properties of built-in
objects (such as Object.prototype.toString = function () { })
will not have any effect (see the behavior of Object.freeze()).
Considering the modification of built-in prototypes an anti-pattern in a modern modularized ECMAScript ecosystem, we regard this increased strictness as an acceptable measure that does not affect code quality but on the contrary.
js-vm will attempt to create a separate global scope (i.e., by means
of an iframe or Node.js' native vm) as a target of its code
execution. If such a measure is not available, however (e.g., in a Web
Worker), built-in objects, execution of the host environment appear as
frozen, too.
Limitations with respect vm
- All scripts run in strict mode (or an unspecified superset, if unsupported).
- Built-in objects (
Object,Array,Dateetc.) and their prototypes are immutable. This includes properties such asRegExp.lastMatch, which normally are altered dynamically.
Extensions over vm
- The timeout option is not only applied to the main operation, but also on subsequently executed events, timed functions etc.
Usage
var vm = require('js-vm');
var sandbox = { console };
vm.runInNewContext('console.log("Hello world")', sandbox);
See the Node.js vm documentation.
License
© 2016 Filip Dalüge, all rights reserved.
FAQs
Pure ECMAScript 5 implementation of the Node.js VM API
The npm package js-vm receives a total of 0 weekly downloads. As such, js-vm popularity was classified as not popular.
We found that js-vm demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 05 Nov 2016
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Socket Named a Supply Chain Innovator in Latio's 2026 Application Security Market Report
Latio’s 2026 report recognizes Socket as a Supply Chain Innovator and highlights our work in 0-day malware detection, SCA, and auto-patching.
By Sarah Gooding - Mar 05, 2026
Company News
Meet the Socket Team at RSAC and BSidesSF 2026
Join Socket for live demos, rooftop happy hours, and one-on-one meetings during BSidesSF and RSA 2026 in San Francisco.
By Sarah Gooding - Mar 03, 2026