But as I use a VPN, malware can't get my real IP and can therefore not spread through my network, from my knowledge.
/steel9
Regarding possibility of IP leaks, a famous one is via WebRTC found in browsers. It may reveal your true IP address, even if connected to a VPN.. and NAT mode being a candidate I believe.
That's why you will find "prevent IP leak by webRTC" option in some browsers and VPN apps. Basically application that renders web pages can be affected by this.
Other than that, blocking all connections when the VPN connection is lost (some VPNs offer such Firewall) is necessary.
However, when you run malware on your VM, remember this:
You're probably more likely to infect the Private Network than to come across a VirtualBox exploit that makes for an escape
Note that NAT and Bridged mode have certain advantages and disadvantages in terms of security and I'm sure you'll find a lot of info on Google with long debates on the comparisons. Important is to have a good s/w based firewall on the host machine and all other machines connected in your network.