Re: [apparently, someone thought this was a good idea – El Reg].
"What exaclty [sic] is NW.js?"
Well, you could try entering it into Google, which would bring you as the first hit:
http://nwjs.io/
"What exactily [sic] is JS sandboxing?"
It's the limited execution environment provided to Javascript code running in a web browser. For example, it cannot access other web pages you have open, nor open connections to websites other than the one you are viewing, nor read/write files on the host filesystem.
Plenty more info is available on the web, e.g.
http://www.howtocreate.co.uk/tutorials/javascript/security
The important thing here is that nw is itself an executable (e.g. under Windows you run nw.exe), which in turn pops open local HTML windows and interprets and runs the javascript code.
http://docs.nwjs.io/en/latest/For%20Users/Package%20and%20Distribute/
http://docs.nwjs.io/en/latest/For%20Users/Advanced/Security%20in%20NW.js/
This gives you a way of writing local apps but using HTML+CSS+Javascript instead of VB or C# or whatever. "JS Sandboxing" doesn't come into play because this is a local executable.
So really this is no different to any other attack where someone downloads an executable and runs it. The fact it uses Javascript and node.js internally is a bit of a red herring. This attack could just as well be written in BASIC and bundled with a BASIC interpreter.