Companies should immediately identify all Node.js servers, check if they are running vm2, and, if so, verify a version older than 3.9.11 isn’t being used. A robust and well-resourced dependency and vulnerability management program will help identify issues like this sooner: dependency management tracks all dependencies that are required for business functions and when updates are available for them, and vulnerability management should function like change management for vulnerability mitigation and resolution. Dependency management should be well-resourced, as many software products are built upon hundreds or thousands of dependencies. Vulnerability scanners can help significantly with keeping up with the latest vulnerabilities and mitigations.

Additionally, virtual sandboxing alone should never be considered sufficient to protect against untrusted code. Companies should implement command-line logging in order to identify normal use-case for their applications and detect abnormal commands. Further protection can be achieved by separating instances running sandboxes from more business-critical instances, requiring more effort to successfully attack a network and more opportunities to detect the activity.

https://thehackernews.com/2022/10/researchers-detail-critical-rce-flaw.html