This affects the package vm2 prior to 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.
vm2 project vm2