🎓️ Vulnerable U | #145

React and Next.js critical RCE zero day, Brickstorm malware found in VMWare, Korea crack down on IP camera spying, and much more!

Author

Matt Johansen
December 05, 2025

Read Time: 9 minutes

Brought to you by:

Howdy friends!

Hope your Thanksgiving was lovely if you’re in the states. We’re in the full holiday swing around here, lots of lights, trees, and plans for parties and get-togethers.

I’ve been spending a ton of this week testing AI coding tools, and I feel like we’ve really crossed an apex. I picked up a project I started almost exactly a year ago, and the tools are just melting through walls I hit on it back then. Yes, the models are better, Opus 4.5 isn’t getting into broken loops as much as the old models would, but the real unlock is context management.

If you can get the right context within window size to the right model (Opus) and manage that window well, I’m just seeing it knock things out of the park. - I’ve got a few tools I’m helping some friends test that hopefully I can share with you soon. Hit me up somewhere (Twitter or LinkedIn have had good threads lately) if you’re hacking on this kind of stuff and want to chat about it.

ICYMI

🖊️ Something I wrote: Did you know there are AI tools out there built specifically for hackers (WormGPT)

🎧️ Something I heard: Exposing a Romance Scammer

🎤 Something I said: this is seriously concerning… (CrowdStrike Insider, but that’s just the tip of the iceberg)

🔖 Something I read: Giving AI haters more ammo: RIP Crucial: Memory Supplier Micron Exits Consumer Market to Chase AI

Vulnerable News

Really gnarly week for React and Next.js to get these kinds of serious vulns. We don't see this stuff too often. These are definitely worth running an incident on if you're a Reactor Next.js shop.

The 10/10 CVSS "React2Shell” vulnerability in React Server Components allows attackers to achieve remote code execution without authentication by sending crafted HTTP requests that trigger insecure deserialization. Security researcher Lachlan Davidson found this one and it's hitting React versions 19.0 through 19.2.0, plus Next.js experimental canary builds and all 15.x/16.x releases below the patched versions.

Wiz is reporting that 39% of cloud environments they monitor contain vulnerable versions, which makes sense given React pulls 55.8 million weekly NPM downloads and Next.js gets 16.7 million. The good news is patches are already out - React 19.0.1, 19.1.2, and 19.2.1, plus various Next.js fixes.

Problem is, GitHub's getting flooded with garbage PoCs that don't actually work and completely miss the real exploit mechanism. The original researcher even had to post on react2shell.com telling people these aren't the same exploits shared with the maintainers. - This post is solid and even includes a scanner: High Fidelity Detection Mechanism for RSC/Next.js RCE (CVE-2025-55182 & CVE-2025-66478)

aaaand after I wrote all that ^ but before I hit send - we’ve got confirmation this exploit is weaponized in the wild by China. - China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)

Make sure you’re all over this one. (read more)

AppSec often struggles to prevent issues without slowing developers. A lack of context makes it hard to set targeted controls, so issues slip into production faster than teams can fix them – leaving teams with ever growing backlogs and applications persistently at risk.

This guide provides a practical, five-stage framework to enable teams to turn security gates into guardrails, allowing teams to accelerate secure development.

*Sponsored

Google's Threat Intelligence team just dropped details on Intellexa's continued operations despite US sanctions. They're absolutely crushing it with zero-days - responsible for 15 out of 70 zero-days TAG discovered since 2021. The latest was a Chrome v8 exploit (CVE-2025-6554) spotted in Saudi Arabia this June.

What's fascinating is their iOS exploit chain dubbed "smack" - they're actually buying parts of it from others, including a framework called JSKit that Russian state actors and other spyware vendors have used. The chain includes sophisticated sandbox escapes and a spyware stager called PREYHUNTER that checks if it's got the right target before deploying the full Predator payload. They're also getting creative with delivery, using malicious ads to fingerprint users before serving exploits. Google's now warning hundreds of targeted accounts across Pakistan, Kazakhstan, Angola, Egypt, and other countries. (read more)

CISA advisory - BrickStorm Backdoor in VMWare

Google absolutley called it when they published the BrickStorm research. They knew this would be getting WAY worse before it got better. I keep hearing whispers of people running incidents with YEARS of dwell time using this malware. Now CISA is ringing the alarm bells even more.

They're creating hidden rogue VMs to stay under the radar and stealing VM snapshots to harvest credentials. The malware uses multiple encryption layers (HTTPS, WebSockets, nested TLS), plus DNS-over-HTTPS for concealment and even has a self-monitoring feature that automatically reinstalls itself if it gets disrupted.

Hackers initially compromised a web server in the DMZ back in April 2024, then pivoted to internal VMware infrastructure and maintained access through September 2025. They also hit domain controllers and an ADFS server along the way. CrowdStrike's linking this to a group they call "Warp Panda," and it's the same crew Google flagged as UNC5221 for exploiting Ivanti zero-days. If you're running VMware infrastructure, definitely check out those YARA and Sigma rules CISA published. (read more)

Wiz Research dropped a pretty awesome breakdown of the Shai-Hulud 2.0 supply chain worm tearing through npm. This thing managed to stay active for over 6 days and most infections (77%) hit CI/CD systems rather than developer laptops, with @postman/tunnel-agent and @asyncapi/specs being the main infection vectors. The malware tried to be clever with cloud secret extraction across AWS, GCP, and Azure, but apparently the attackers couldn't handle proper error handling and the cloud.json files came up empty due to bugs in their code.

The scale is pretty wild - they're tracking over 30,000 compromised repositories with about 24,000 unique environment files. While the attackers used Trufflehog to harvest secrets, only 2.5% of the 400,000 scraped secrets were actually verified. Still, that leaves hundreds of valid secrets floating around, including over 60% of leaked npm tokens that are still active. The cross-victim exfiltration method means companies can't just search their own GitHub orgs to see if they're affected - their data might be sitting in some random victim's repository. Supply chain nightmare fuel. (read more)

Korean police just busted an IP camera hacking operation that will have everyone who refuses to have internet connected cameras in their house going: “SEE! THATS WHY!” Four suspects managed to compromise over 120,000 cameras across the country, harvesting intimate footage and selling it to foreign adult sites for some decent crypto payouts - one guy made $23,800 from 545 videos.

Police aren't just going after the hackers - they're actively pursuing buyers and viewers of the stolen content through international cooperation, and three purchasers are already facing up to three years in prison. They've identified 58 affected locations so far and are helping victims with takedown requests. Standard advice applies here: change those default passwords, disable remote access when you don't need it, and keep firmware updated. (read more)

You should not have to chase screenshots, spreadsheets, and Slack messages just to know where your security posture actually stands. Drata gives you real-time visibility with continuous control monitoring and automated evidence collection, so you always know what is working and what is not. Less scrambling means less risk and more trust.

See your security posture clearly with Drata.

*Sponsored

Russia just handed down a brutal 21-year sentence to physicist Artyom Khoroshilov for what looks like a mix of questionable cyber charges and some genuinely bad OpSec. The 34-year-old researcher got nailed for transferring $9,000+ to a Ukrainian charity (which he admits was a mistake), allegedly running DDoS attacks against Russian postal systems, and having explosive components at home that he claims were for gardening. His colleagues are calling BS on the tech charges, saying the guy "barely knew how to program."

This is clearly part of Russia's broader crackdown since the war started - they're throwing the book at anyone with even tangential connections to Ukrainian cyber activities. The IT Army of Ukraine says they don't know if this guy was actually involved, but noted that Russian authorities are basically "hunting down any sign of resistance." Whether Khoroshilov is a cyber saboteur or just a physicist who made some poor donation choices and downloaded the wrong software, 21 years seems pretty harsh. But that's apparently the new normal for anything cyber-related that might benefit Ukraine. (read more)

This is one of those pieces of software you’ve never heard of but is behind the scenes at a bunch of important places. Marquis Software Solutions just had a rough day explaining to 74 banks and credit unions why 400,000+ of their customers' data got snatched in August. The financial software provider got pwned through their SonicWall firewall, with attackers making off with names, SSNs, account info, and dates of birth. A now-deleted filing suggests they paid the ransom, which is always a fun conversation to have with regulators.

This has Akira ransomware gang written all over it - they've been having a field day with SonicWall devices since exploiting CVE-2024-40766 to steal VPN creds and OTP seeds. What's particularly embarrassing is the "enhanced security controls" Marquis implemented after the breach - stuff like enabling MFA on VPN accounts, rotating passwords, and patching firewalls. You know, basic security hygiene that should've been done years ago. It's wild that a company serving 700+ financial institutions wasn't already doing these fundamentals, especially when even small banks get audited for this stuff regularly. (read more)

WordPress is still shockingly widely popular and the plugin ecosystem is still a juicy target. There's a privilege escalation bug in King Addons for Elementor that's getting hammered in the wild - CVE-2025-8489 lets anyone signing up just specify they want admin rights and boom, they've got it. Wordfence has blocked over 48k exploit attempts since it went public on October 31st, with the heaviest activity hitting in early November. The flaw is embarrassingly simple - the registration handler just trusts whatever user role you tell it you want.

Making matters worse, there's another critical RCE vulnerability in Advanced Custom Fields: Extended affecting over 100k sites. This one (CVE-2025-13486) allows unauthenticated attackers to execute arbitrary code through a crafted request, which is about as bad as it gets. Both plugins have patches available, so if you're running King Addons update to 51.1.35, and for ACF Extended grab version 0.9.2. Don't sleep on these - when plugins handling user registration or accepting arbitrary input get compromised, it's game over pretty quickly. (read more)

Ayyyy how fun for job hunters - more stuff to worry about. Instead of just needing to land a job, you’re dodging North Koreans and now even more malware! The attackers are sending out archive files with names like "Overview_of_Work_Expectations.zip" and "Authentic_Job_Application_Form.zip" that contain a weaponized Foxit PDF Reader. The malware even shows victims a fake job posting with salary details while secretly installing itself in the background through DLL side-loading.

Once installed, it steals browser data and establishes persistence through registry entries. Trend Micro's seeing a major spike in detections since late October. (read more)

Here's a fun twist on the typical cybercrime. What looked like an Indonesian gambling scam turns out to be something way more interesting. Researchers at Malanta dug into this 14-year-old operation that's been running fraudulent gambling sites and found it's probably a front for nation-state activities. Massive infrastructure - 328,000 domains costing anywhere from $725k to $17 million annually.

They're using compromised government and corporate subdomains as reverse proxies to tunnel command and control traffic. So when malicious traffic comes from, say, a hijacked .gov subdomain with valid HTTPS, it looks completely legitimate. They're also harvesting credentials through malicious Android apps and selling them on underground markets. Seems like the whole thing might be funding some actual nation-state level espionage. Wild. (read more)

Canadian police department becomes first to trial body cameras equipped with facial recognition technology

You won’t believe it but AI powered facial recognition winds up being highly inaccurate and racist!

Edmonton Police just became the guinea pigs for facial recognition body cameras, rolling out Axon's latest tech to 50 officers through December. The system automatically captures faces of anyone within 13 feet and runs them against a database of 6,341 flagged individuals with outstanding warrants or "cautions." They're promising the facial recognition only kicks in during investigations, not while officers are actively patrolling, and that humans will verify any matches.

Privacy advocates are …nervous… about this development. The technology has a documented track record of being less accurate for people of color, and we've already seen how badly this can go - remember when Rite Aid got slapped by the FTC for harassing customers based on faulty facial recognition matches? It's one thing to use this stuff in controlled environments, but strapping it to cops walking the beat feels like a pretty significant escalation in surveillance tech. (read more)

I know I talk a lot about the North Korean threat actors, but this report gets a special look behind the curtain. They did it by setting up fake developer workstations. The team at BCA LTD, NorthScan, and ANY.RUN created a honeypot, pretending to be a US developer getting recruited by a North Korean operator known as "Aaron/Blaze."

Instead of real laptops, they gave the attackers access to carefully monitored sandbox environments. The Lazarus playbook used legitimate tools like AI interview helpers, browser-based OTP generators, and Google Remote Desktop for persistent access. Their goal was complete identity takeover to infiltrate Western companies, particularly in finance, crypto, and healthcare. The attackers were routing everything through Astrill VPN, which matches previous Lazarus operations. (read more)

Fun little phishing campaign details - targeting business ad management accounts using fake job opportunities from big brands like LVMH, Lego, and Mastercard, complete with Calendly-themed landing pages and multi-stage email lures. A fun feature that stood out to me is you literally can't access the malicious functionality unless you're using the intended victim's email domain.

The campaign has evolved from basic Facebook account targeting to more advanced Google Workspace attacks using Browser-in-the-Browser techniques and anti-analysis features that block VPN traffic and security researchers. What their after is compromised ad management accounts that give them the ability to launch malvertising campaigns at scale. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay