Threat Alerts

A critical security flaw in React and Next.js could let remote attackers run malicious code on servers without logging in. The issue affects React Server Components (RSC) and the “Flight” protocol used to send data between the browser and the server. The vulnerabilities are tracked as CVE-2025-55182(CVSS Score:10) for React and CVE-2025-66478(CVSS Score:10) for Next.js. The core problem is insecure deserialization inside the RSC “Flight” payload handling. When the server receives a malicious payload, it fails to correctly verify its structure. As a result, attacker-controlled data can affect the server’s execution flow and cause privileged JavaScript code to run. The exploitation of this vulnerability has a high success rate and can be leveraged to a full remote code execution. The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request to the target server. It affects the default configuration of popular frameworks. This means a large number of internet-exposed systems may be at risk if not patched.

Researchers captured in real time how North Korea’s Lazarus Group is abusing remote-work recruitment pipelines to infiltrate Western organizations. The attackers pose as legitimate recruiters, guide victims through fake job processes using AI-assisted application tools, steal personal identifiers, and ultimately request full remote access to the candidate’s device via Google Remote Desktop. Within controlled virtual environments, investigators observed the operators gathering system information, bypassing 2FA with browser-based OTP generators, and establishing persistent access. The findings highlight the increasing risk of APTs leveraging remote-employment workflows to gain covert entry into corporate environments.

Recent analysis shows that China-linked threat actors continue to exploit technology supply chains as part of their operational toolkit, with activity observed across networking appliances, IoT ecosystems, and embedded system firmware. In several cases, hardware and software sourced through Chinese vendors contained backdoor-like functions, weak authentication mechanisms, or remotely triggerable services that could enable covert access. Other incidents involved modified firmware updates or tampered software components inserted upstream, allowing operators to maintain persistence without relying on traditional malware. These techniques align with broader trends in supply-chain compromise, where attackers use trusted hardware pathways, misconfigured update channels, or third-party components to bypass enterprise defense. For organizations, this reinforces the importance of upstream software and hardware integrity checks as part of routine security governance.

Recent telemetry indicates a significant spike in coordinated reconnaissance against Palo Alto GlobalProtect VPN portals, with more than 7,000 distinct IPs conducting distributed probing, authentication testing, and portal enumeration. The activity appears focused on mapping exposed GlobalProtect instances and assessing authentication responses, consistent with pre-exploitation staging seen in prior campaigns targeting remote-access infrastructure. Although no specific exploit vector has been confirmed, the scale and persistence of the scanning suggest threat actors are preparing for broader opportunistic targeting of misconfigured or unpatched PAN-OS environments.Organizations using GlobalProtect should verify exposure settings, enforce MFA, review authentication logs for distributed failed-login patterns, and confirm that all relevant PAN-OS security updates have been applied.

Cloudflare successfully blocked the largest distributed denial of service (DDoS) attack ever recorded, which peaked at 29.7 terabits per second and lasted 69 seconds. The attack originated from AISURU, a botnet-for-hire powered by an estimated one to four million infected devices worldwide, which has been targeting telecommunication companies, gaming platforms, hosting providers, and financial services. The record-breaking incident was a UDP carpet bombing attack that hit approximately 15,000 ports per second with randomized packet properties designed to evade defenses, though Cloudflare’s automated systems successfully detected and neutralized the threat. Additionally, Cloudflare blocked another massive attack from the same botnet reaching 14.1 billion packets per second, and has recorded 2,867 AISURU attacks since the beginning of 2025, with 1,304 classified as hyper-volumetric attacks.

A new hybrid phishing threat has emerged combining Salty2FA and Tycoon2FA frameworks, marking a significant evolution in 2FA phishing attacks. This development complicates attribution and detection as threat actors blend infrastructure and payloads from both kits within single campaigns.

The hybrid emerged following a dramatic collapse in Salty2FA activity in late October 2025, dropping from hundreds of weekly submissions to just dozens by November. Analysis revealed that when Salty2FA infrastructure experienced operational failures with DNS SERVFAIL responses, samples automatically fell back to Tycoon2FA-based hosting and payload delivery. The attacks begin with phishing pages hosted on Cloudflare Pages Dev, containing familiar Salty2FA artifacts like embedded motivational quotes and simple class naming patterns. When primary infrastructure fails, the code switches to alternative URLs delivering Tycoon2FA payloads.

Code analysis confirmed true hybridization where early execution stages match Salty2FA patterns while later stages reproduce Tycoon2FA’s execution chain almost identically. The payloads include Base64-XOR obfuscation, anti-analysis checks, DOM manipulation to mimic Microsoft authentication pages, and characteristic DGA-generated domains for data exfiltration. Evidence suggests both frameworks may be operated by Storm-1747, explaining the seamless integration and fallback mechanisms. This evolution represents a shift toward more flexible, modular phishing operations with higher tolerance for infrastructure failures