"The year opened without a reset. The same pressure carried over, and in some places it tightened. Systems people assume are boring or stable are showing up in the wrong places. Attacks moved quietly, reused familiar paths, and kept working longer than anyone wants to admit. This week's stories share one pattern. Nothing flashy. No single moment. Just steady abuse of trust - updates, extensions, logins, messages - the things people click without thinking. That's where damage starts now."
"React2Shell is the name assigned to a critical security vulnerability in React Server Components (RSC) and Next.js that could allow unauthenticated attackers to achieve remote code execution on susceptible devices. According to statistics from the Shadowserver Foundation, there are about 84,916 instances that remain susceptible to the vulnerability as of January 4, 2026, out of which 66,200 instances are located in the U.S., followed by Germany (3,600), France (2,500), and India (1,290)."
Steady, low-noise campaigns continue to exploit trusted mechanisms such as updates, extensions, logins, and messages to gain long-term access. A nine-month campaign enrolled IoT devices and web apps into the RondoDox botnet by exploiting React2Shell (CVE-2025-55182), a critical RSC/Next.js remote code execution flaw, with roughly 84,916 vulnerable instances worldwide and 66,200 in the U.S. Supply-chain compromise Shai-Hulud compromised Trust Wallet's Chrome extension, exposing developer GitHub secrets and enabling theft of about $8.5 million. Attackers reuse familiar paths and maintain persistence rather than rely on flashy, single-moment exploits.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]