A fresh CVE (2025-55305) just put Electron apps in the hot seat. The bug? Chromium-based apps fail to treat V8 heap snapshot files as potential attack vectors. That crack lets unsigned JavaScript slip past code signing and run inside heavyweight targets like Slack, 1Password, and Signal.

The heart of it: heap snapshots aren't flagged as executable, so they dodge integrity checks. And if the app lives in a user-writable path? Congrats—you've got a persistent backdoor.