A Vulnerability in React Server Component (RSC) Could Allow for Remote Code Execution
A vulnerability in the React Server Components (RSC) implementation has been discovered that could allow for remote code execution. Specifically, it could allow for unauthenticated remote code execution on affected servers. The issue stems from unsafe deserialization of RSC “Flight” protocol payloads, enabling an attacker to send a crafted request that triggers execution of code on the server. This is now being called, “React2Shell” by security researchers. Active exploitation has been reported in the wild. Specifically, Chinese threat actor groups were found actively exploiting this in the wild.
Affected Systems:
- React Server Components – all versions prior to React 19.0.1, 19.1.2, and 19.2.1
- Next.js 15.x – all versions prior to the patched 15.x release
- Next.js 16.x – all versions prior to the patched 16.x release
- Any frameworks or tools that bundle React Server Components prior to the patched React versions.
Risk:
- Large and medium business entities: High
- Small business entities: Medium
Remediation Recommendations
- Ensure all hosts running React Server Component have the latest version(s) installed
- Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it)
References
Threat Actor Advertises
Plausible iOS Chain Exploit
Dataminr warns that a threat actor is advertising a full-chain exploit that uses memory corruption vulnerabilities to achieve remote code execution on iOS 26. The threat actor has offered proof of the alleged exploit, and Dataminr describes the advertisement as "credible." The actor says the exploit uses memory corruption to run arbitrary code and links multiple vulnerabilities to achieve remote code execution, escape the app sandbox, and escalate privileges to full device control.
Full-chain iOS exploits are extremely valuable, and Dataminr notes that the Russian zero-day purchasing platform Operation Zero is offering up to $500,000 for iOS 26 exploits.
New Android Malware-as-a-Service Operation Surfaces
Cleafy has published a report on a new strain of Android malware dubbed "Albiriox" that targets users of more than 400 banking and cryptocurrency applications. Albiriox surfaced in September 2025 and transitioned to a public malware-as-a-service operation in October. The malware is delivered via social engineering attacks that trick users into installing malicious apps.
The researchers note, "Albiriox combines two core attack vectors: a VNC-based Remote Access module for real-time device control, and an Overlay Attack mechanism for credential harvesting. While the remote-control functionality is fully operational, the overlay component is under active development, with generic templates currently in place rather than application-specific phishing pages.
White House Releases
National Security Strategy
The White House late last week released the United States' new National Security Strategy, a 30-page document outlining the Trump administration's global priorities. On the cyber front, the biggest change is the elevation of economic power, industrial capacity, and supply-chain control as core strategic tools. The strategy says the US government should "partner with regional governments and businesses to build scalable and resilient energy infrastructure, invest in critical mineral access, and harden existing and future cyber communications networks that take full advantage of American encryption and security potential.”
The document adds, "[T]he U.S. Government’s critical relationships with the American private sector help maintain surveillance of persistent threats to U.S. networks, including critical infrastructure. This in turn enables the U.S. Government’s ability to conduct real-time discovery, attribution, and response (i.e., network defense and offensive cyber operations) while protecting the competitiveness of the U.S. economy and bolstering the resilience of the American technology sector. Improving these capabilities will also require considerable deregulation to further improve our competitiveness, spur innovation, and increase access to America’s natural resources."
POLITICO notes that the National Security Strategy is the first of several upcoming defense and foreign policy papers scheduled for release by the Trump administration. The others, including the National Defense Strategy, can be expected to be similarly on-brand.
Malicious Browser Extensions Waited Years Before Infecting Users
Researchers at Koi warn that a threat actor dubbed "ShadyPanda", conducted a seven-year-long browser extension campaign that infected 4.3 million Chrome and Edge users. The extensions operated for years as legitimate tools, building trustworthy reputations and large user bases, before receiving malicious updates in mid-2024. Koi states, "These extensions now run hourly remote code execution - downloading and executing arbitrary JavaScript with full browser access. They monitor every website visit, exfiltrate encrypted browsing history, and collect complete browser fingerprints."
The extensions have since been removed from the app's stores, but Koi warns that previously infected browsers may still be compromised.
.png)