Random in Security is a summary of the cybersecurity news.
Vulnerabilities#
CVE-2025-55182 - React2Shell#
A critical unauthenticated remote code execution vulnerability (CVSS 10.0) in React Server Components allows attackers to craft malicious HTTP requests that execute arbitrary code through unsafe deserialization of payloads sent to Server Function endpoints.
The flaw affects react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in versions 19.0 through 19.2.0—meaning if you’re running Next.js, React Router, Waku, or other RSC frameworks, congratulations, you’re probably vulnerable.
Full technical details are available on oss-security, and the HN thread has the usual mix of panic and “I told you so” comments.
In-the-wild exploitation is already happening: Beelzebub.ai documented the PCPcat campaign which compromised over 59,000 Next.js servers through automated scanning, achieving a 64.6% success rate via prototype pollution attacks that extract .env files, SSH keys, and cloud credentials. Their C2 server was helpfully exposing operational metrics through unauthenticated endpoints—because why hack when you can just read the dashboard?
Airoha RACE Vulnerabilities#
Researchers presented at 39C3 three critical vulnerabilities (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702) in Airoha Bluetooth audio chips that let attackers read and write device memory via the custom RACE protocol. By extracting Bluetooth Link Keys from headphone flash memory, attackers can impersonate your trusted Sony, Marshall, or Jabra headphones to compromise your paired smartphone—enabling eavesdropping, call hijacking, and data theft. The full disclosure from Insinuator has all the gory details, and they’ve released the RACE Toolkit so you can check if your overpriced earbuds are also a liability. HN discussion available for those who enjoy existential dread about their AirPods.
Interesting Reads#
Stop Putting Your Passwords Into Random Websites#
watchTowr Labs discovered approximately 80,000+ exposed credentials saved on public code formatting websites like JSONFormatter and CodeBeautify. By exploiting the “Recent Links” feature and predictable URL patterns, they found Active Directory credentials, database passwords, API keys, and PII from government, banking, healthcare, and cybersecurity organizations. Their canary token experiment confirmed that malicious actors are actively harvesting and testing these exposed credentials—so maybe don’t paste your AWS keys into a website called “JSONBeautifier.io” next time.
Hackerangriff auf Arabella München#
Munich radio station Radio Arabella was hit by a ransomware attack, with the station’s own announcement and Merkur coverage detailing the incident. Nothing says “Bavaria” quite like cybercrime disrupting your morning Schlager.
Shai-Hulud 2.0#
The sandworm of npm supply chain attacks returns: Wiz documented the Shai-Hulud 2.0 campaign which compromised approximately 700 npm packages from major developers like Zapier, PostHog, and Postman, affecting over 25,000 GitHub repositories. The malware steals AWS keys, GitHub tokens, and cloud secrets during installation, then creates persistence through GitHub workflows that register infected machines as self-hosted runners. HelixGuard’s analysis details how a counterfeit Bun runtime was distributed through npm, compromising 1,000+ packages within hours. HN discussion contains the expected “this is why I pin everything” comments.
Censys 2025 State of the Internet Report#
Censys released their 2025 State of the Internet Report focusing on understanding adversary infrastructure through real investigations and data. If you enjoy 100-page PDFs about threat actor infrastructure, this one’s for you.
SVG Filters: Clickjacking 2.0#
Lyra Rebane discovered a novel clickjacking technique using SVG filters to create complex, multi-step attacks against cross-origin iframes.
By leveraging filter primitives like feDisplacementMap, feComposite, and feColorMatrix, attackers can read pixel data and implement logic gates to display responsive overlays—all without JavaScript.
This earned a $3,133.70 Google VRP bounty and represents the first documented method combining SVG filter logic with interactive clickjacking.
Knownsec: The King of Vulnerability Missed Three Vulnerabilities of Its Own#
Natto Thoughts reports on a November 2025 leak from Knownsec (知道创宇), a major Chinese cybersecurity company, which allegedly included 12,000 confidential documents. The irony of a vulnerability research firm getting pwned writes itself.
Tools#
- EvilBytecode/GoRedOps - Red team techniques and offensive tooling in Go for educational purposes
- R3DRUN3/magnet - Purple-team telemetry and simulation toolkit
- dabit3/fabricate - Experimental tool for fabricating GitHub personas with AI-generated repositories
- D00Movenok/BounceBack - Stealth redirector for red team operation security
- thalesgroup-cert/suspicious - AI-powered phishing and threat-analysis platform for emails, files, URLs, IPs, and hashes
- center-for-threat-informed-defense/adversary_emulation_library - Open library of adversary emulation plans based on real-world TTPs