December 2025 was dominated by high-impact threats targeting both the modern web stack and trusted developer ecosystems. The month saw the disclosure of React2Shell, a critical 10/10 vulnerability enabling unauthenticated RCE in React-based applications, with rapid real-world exploitation and widespread patching efforts across global providers. At the same time, WebRAT infostealer activity increased as attackers abused GitHub repositories to distribute malware disguised as exploit code.
Outside of the technical headlines, December also brought several notable developments — including hacktivists scraping and archiving nearly Spotify’s full catalogue, Amazon uncovering a suspected North Korean remote worker through latency and behavioural analysis, Microsoft announcing M365 Baseline Security Mode, and increasing privacy concerns leading to bans on smart glasses and other wearable tech.
Techniques
React2Shell Vulnerability Discovered and Released
In December 2025, a 10/10 severity flaw in the React.js application framework, dubbed React2Shell, was publicly disclosed causing global disruption and chaos as providers and developers raced to patch their applications built on React. The vulnerability allows for unauthenticated Remote Code Execution (RCE), where attackers can craft commands and run them on servers on common versions of React. The vulnerability was discovered by the New Zealand based pen-tester and researcher, Lachlan Davidson, who notified the React team on November 29 before it was publicly disclosed on December 3.
The React.js framework is used to handle and present dynamic user interfaces on web pages and was originally developed by Facebook (Meta) in 2011 to handle the newsfeed on the Facebook app – at the time it was a complex User Interface (UI) that needed a new framework to handle all the moving and interactive content. Today React is open-source and has many offshoots and derivative frameworks built off it including Next.js, Node.js, and Cloudflare’s RedwoodSDK. It is estimated by a Stack Overflow survey that more than half of all web development taking place today uses the React framework in some way.
The attack works by interfering with the deserialisation process in React, where data sent from a client is wrapped up, and unwrapped by React’s server-side backend. React2Shell corrupts the ‘unwrapping’ (deserialisation) process and allows for malicious commands to be run on the server unauthenticated, meaning an attacker can launch further attacks like remote shells or install backdoors on the server – a worst-case scenario for any organisation running React or one of its offshoots.
Within hours of the vulnerability being disclosed ATPs including China’s Earth Lamia and Jackpot Panda were using this to breach organisations, showing the effectiveness of the exploit in the real world. Over 30 organisations were confirmed to have been breached using the exploit in the first few days, including critical infrastructure, government, and private companies. Fixes were released within the same week as the exploit was released, and companies have been rushing to patch their systems as fast as possible to mitigate any risk – including a 25 minute outage to Cloudflare which impact approximately 28% of all HTTP traffic served while emergency changes to the Redwood framework were implemented.
We are seeing real-world impacts from this vulnerability, and are likely to continue to see breaches, disruption, and impacts for a long time to come. Anyone using React or a derivative of the framework should patch immediately and monitor for any signs of attack using the React2Shell vulnerability.
WebRAT Malware is Now Being Distributed Through GitHub Disguised as Other Exploits
WebRAT and intrusive malware that has been spreading to end user devices in recent months has seen an uptick in infections using a technique that involves hiding it within other malware exploits publicly available on GitHub. Previously hidden in packages with cheats or pirated versions of popular games such as Rust, Counterstrike, and Roblox, WebRAT is an infostealer that steals login info for Steam, Discord, and Telegram accounts as well as cryptocurrency wallet information. It has also been observed to keylog, provide remote access, and watch users through their webcams.
Attackers have been crafty in their approach by creating Git repositories with code that claims to exploit known critical vulnerabilities across popular platforms. Kaspersky labs have so far discovered 15 repositories containing exploit code for real existing vulnerabilities in Windows, Internet Explorer, and WordPress plugins, with users downloading the packages from these repositories to attempt to obtain resources that would allow them to attack other web users. Unbeknownst to these users, a malicious .dll file is hidden within the exploit code downloaded in the package that blocks Windows Defender and installs the malware on a user’s device.
This follows on from the recent Shai-Hulud worm malware that has been spreading maliciously via Git repositories, with Git downloads now quickly becoming a successful and favoured technique by attackers to gain a foothold into victim’s devices. It is advised that any developers or researchers downloading packages from GitHub carefully check the contents before and after download and look for signs that the downloaded files are unsafe – including corrupted files within the package, or .dll, .bat, and .exe file types.
Happenings
[US] CrowdStrike Catches Insider Exfiltrating Information
Web pirate activist group Anna’s Archive have reported that they have scraped Spotify and amassed a catalogue of 86 million music files and their associated metadata, accounting for about 99.6% of all listens on the popular music streaming app. The group have undertaken this in an attempt to create the largest digital archive and ‘backup’ of digital music ever created, with the haul consisting of approximately 300 terabytes of files for users to download from.
Anna’s Archive typically focus on backing up books, papers, and other text, to make them publicly available via torrent and have built out a large archive as a way to preserve documents and information freely. This latest foray is an attempt to create a one-stop ‘preservation archive’ for music, so that no music is lost as Spotify’s catalogue moves and changes.
While no details on how the group managed to bypass the DRM (Digital Rights Management) protections in place, it’s believed that a
number of accounts were used to automatically scrape the content using illicit means – likely through a public API and a rate-limit evasion techniques.
Spotify have responded by removing the malicious accounts used for the scraping and have now implemented new safeguards to prevent this from happening. The Anna’s Archive .org domain has now been taken offline as a result of copyright infringement. While this is being considered theft and a copyright issue at present, the internet is divided on whether this is a positive or negative for the music industry with users stating that the creation of an archive like this preserves music for all, with others saying that this further impedes an already difficult industry for small artists. While there are a number of affordable legitimate music streaming services available for people to subscribe to this demonstrates that there is still a large-scale appetite for pirated content on the web.
[US] US Authorities Uncover Nvidia Chip Smuggling Operation Bound for China
Amazon recently uncovered a North Korean IT worker performing a remote systems administrator role following a recent spate of IT related fraud activities from North Korea. A lucrative revenue source for the North Korean regime is cybercrime, both the theft of cryptocurrency (with the reported theft of $2.02 billion USD stolen in 2025) and by infiltrating foreign companies to commit fraudulent or malicious activities.
While Amazon were investigating internal threats, they identified at an employee’s keyboard inputs were taking 110 milliseconds to reach the headquarters in Seattle, when it is typically expected to take much less time – this prompted Amazon to investigate further where they found that the employee had been remotely accessing Amazon’s systems from an endpoint in China, a technique commonly adopted by North Korean remote workers. The workers sessions were terminated and their access revoked, and the investigation found that a third-party outsourcing firm used by Amazon had unknowingly hired the North Korean worker.
Malicious remote workers is a growing problem for organisational globally as the outsourcing trend continues – with highly skilled and specialist workers available at low costs to Western businesses. Amazon reported that since April 2024, they have identified and blocked over 1,800 North Korean workers attempting to infiltrate the company disguised as employees. It is advised that organisations should continue to carefully consider and verify any remote parties prior to giving them system access and make sure that appropriate due diligence is completed.
[Global] Microsoft to Introduce Baseline Security Mode for M365
To help combat ongoing attacks and security issues with its online M365 product suite Microsoft are introducing a new Baseline Security Mode (BSM) feature to help configure applications to a minimum-security standard, rolling it out to customers in early 2026. While other features such as Secure Score currently exist within the Microsoft administration portals, Baseline Security Mode will allow for users to easily harden their M365 environments and deploy the necessary configuration changes quickly, rather than sifting through recommendations and having to make decisions on what to implement.
The Baseline hardening focusses on enabling controls related to authentication, file and content security, and Teams protections – all areas that are commonly misconfigured and used by attackers to breach M365 tenants. BSM configurations include the blocking of legacy authentication, enabling phishing resistant MFA for admins, and blocking of risky sign-ins. It has been known for a long time that the current security defaults in M365 are often weak, and if left in a default state or not configured appropriately could often lead to breaches that cost organisations huge amounts of time and money, let alone the reputational damage.
It’s great to see Microsoft moving in the right direction when it comes to creating more secure default environments for customers and providing them with new tools to make it easier to achieve good security. We hope to see this trend continue and that Microsoft continue to provide easier ways for customers, especially small organisations without dedicated IT or cybersecurity staff, to protect their digital environments.
[Global] MSC Cruises Bans Smart Glasses as Wearable Tech Gains Popularity
With the release of the latest generation of Meta’s smart glasses (released in late 2025) and competitors quickly catching up, it has created a new wave of tech related privacy issues across the globe with organisations beginning to ban such technology within their premises. Rising to popularity in recent years, the smart glasses wearable technology allows users to read messages, take photos, translate live speech, and make calls hands free. Users wear them while wirelessly tethered to their phone, much like they currently do with smart watches – the key difference being the glass’ ability to take photos and record videos.
With the surge in popularity, the public9 has started to call for greater regulation and privacy protections as there has been an uptick in cases where people have been filmed using the technology unknowingly or maliciously, before being posted to social media. MSC Cruises have now outright banned smart glasses onboard their cruise liners in a move that is likely to be followed by other organisations. They implemented the ban due to privacy concerns for their passengers, as they can be used to discreetly record within the ship’s bathrooms, spa / pool facilities, and other areas where the public may wish not to be filmed. Others have also cited the traction that staged or provoked events filmed by vloggers using the technology to gain views online.
This marks one of the first large bans by a private organisation and will be followed as the technology is adopted more widely and used more commonly. It will be interesting to see how the laws of each country, including Aotearoa New Zealand adapt and evolve to keep up with the rapidly changing wearable technology market.