If you’re running a Next.js application or any application that uses React Server Components in production, you really want to patch it. Now.
Even if you just patched two weeks ago.
It’s roundup time again, and this time out we’re covering the major cybersecurity news and events since our last roundup ran in mid-October.
Today we’re leading with the React woes, which can enable remote execution of code on your server (worst case), expose source code, and lead to denial of service. As of December 10, 165,000 IPs and 644,000 domains still looked vulnerable, with exploitations well underway.
Today we also cover other big newsmakers, cloud and service outages, cybersecurity skills most in demand, AI threats, and 2025 vulnerabilities in review. We also hit the major ransomware, malware, and breach updates.
With much of the year in the rearview mirror, if you need to catch up, check out all of our 2025 cybersecurity news roundup coverage below:
Major React Server Vulnerability Kicks Off December 2025
A critical vulnerability in React Server Components (called React2Shell) was disclosed on December 3 and has suffered widespread exploitation.
This is one of those “drop everything and address” kind of vulnerabilities, ranked 10/10 in severity.
It allows unauthenticated remote code execution (RCE).
React has widespread adoption, and this vulnerability can occur simply by having packages present—even if companies aren’t aware of using React server features.
In the days following disclosure, numerous reports also profiled rapid exploitation activity. On December 12, Google Threat Intelligence detailed some of these, including early confusion caused by some nonfunctioning exploit code, claims of AI-generation and more, even as real attacks expanded.
Luckily, the solution is straightforward: patch immediately, audit dependencies, monitor for suspicious activity.
As mentioned above, this was the showstopper, but it’s been followed by disclosure of two additional vulnerabilities related to Server Actions that were discovered in the process of addressing this one.
One of these allows attackers to trigger a denial of server by endless looping, and another can expose source code.
Patches are available for all these vulnerabilities, with the last two made available by the React team in recent days.
More on the Oracle E-Business Suite Data Breach
In early November, it was confirmed the Washington Post joined a growing list of victims from a breach tied to Oracle’s E-Business Suite (EBS) software. More than 100 companies are likely to be impacted, per reporting from Reuters, including Harvard University and American Airlines subsidiary Envoy so far.
These attacks have been tied to the Cl0p ransomware group, and it’s yet another example of how security issues can rapidly cascade across organizations.
TechCrunch reported the group asked for a $50 million ransom from one affected company, and the group publicly taunted the Washington Post on its website, claiming it had neglected its own security.
The vulnerability allowed unauthorized access to customer applications, making the information exposed variable. The Cl0P gang has claimed that disclosures here included full names, bank account and routing numbers, Social Security numbers, and tax ID numbers.
WhatsApp’s Phone Numbers Leak
Wired reported in November on a security flaw in WhatsApp that allowed Austrian researchers to pull some 3.5 billion registered photo numbers, and, in some cases, also profile photos (57%), and even profile text (29%).
This was done entirely by checking ranges of possible numbers, at very high speed and scale, using the feature that shows if someone you know is already on the platform. The researchers noted that it would be the largest data leak in history, had it not been part of a responsibly run research study.
They disclosed the information to Meta in April and then deleted their dataset, with Meta announcing they’d applied stronger rate limiting in October.
Note that messages themselves remained encrypted throughout, and the exploit was more about hackers gaining information they could use to more effectively scam individuals.
Also in the period, CISA alerted that multiple threat actors are using encrypted messaging apps (including WhatsApp, as well as Signal and Telegram) to deliver and control spyware, as well as for phishing and account-takeover strategies aimed at high-value targets.
This includes techniques like using malicious QR codes for device-linking and even no-click scam attacks that require no user interaction at all.
‘Digital Resilience’ Trends Up Again in Late 2025
Last year during the CrowdStrike outage, we were among many firms talking about digital resilience, and this came up again in our Founder and CEO’s recent newsletter about cyber insurance.
During this period, the world experienced several similar outages paralyzing a surprisingly wide array of services across industries. And while none of the three were related to cybercrime, they demonstrate our dangerously fragile array of dependencies.
Global dependence on the hyperscalers was the story of two of these: a late October DNS issue within AWS that triggered impacts to some 70 other services; and an Azure cloud outage that shut down Office365, Minecraft, and more.
The third event was triggered by internet services company Cloudflare on November 18. This outage was initially (wrongly) tied to a cyberattack but was actually caused by an internal permissions change.
This caused a bot management file to double in size. It exceeded its limit, and propagated, triggering ongoing failures until it could be stopped and replaced.
According to Krebs on Security, some customers managed to route around Cloudflare to restore their own availability, but in the process, potentially weakened their own protections and opened themselves to attackers.
Again, all of these demonstrate dangerous dependencies—with bottlenecks or chokepoints—where a single-vendor DNS reliance can paralyze numerous services and also make pivoting extremely difficult.
Top Cybersecurity Skills for 2026 and Work News
One thing that can help companies with their resilience? Experienced professionals, and in December the non-profit ISC2 released its Cybersecurity Workforce Study, profiling the state of play for the field.
With a record 16,000+ cybersecurity practitioners and leaders participating from regions all around the world, its findings saw budget cuts easing (cuts indicated by 36% of orgs) even as hiring freezes stayed relatively high but also steady (39%).
Skills gaps remain at the center of their findings, as indicated above, with the top needed skills needed for 2026 being:
- Artificial intelligence (surprise, surprise)
- Cloud computing security
- Risk assessment, analysis, and management
- Application security
- Governance, risk management, and compliance
More broadly, according to Jen Easterly, former head of CISA, “America’s digital defenses are failing.” In recent writings and talks (as reported by the Cybernews), Easterly emphasized that software quality may be an even bigger problem than security, arguing that the cybersecurity industry is charged with covering for many of these weaknesses.
She warned that AI is helping criminals find the flaws more quickly, though also that she believes AI will make it possible to secure AI code at scale in ways never before possible.
This includes finding and resolving defects, searching out issues in legacy code, and building future products that are secure by default, from the start.
[PTP has experience helping companies implement many of these very solutions. If your company wants to harness AI to improve software quality, talk to us.]
AI Security Threats
OWASP just released its own top 10 list for the biggest security risks for autonomous/agentic AI systems. These include:
- Agent goal hijacking
- Tool misuse and exploitation
- Identity and privilege abuse
- Agentic supply chain vulnerabilities
- Unexpected code execution (RCE)
- Memory and context poisoning
- Insecure inter-agent communication
- Cascading failures
- Human-agent trust exploitation
- Rogue agents
You can check out the full details for each in their full documentation.
The Agentic AI Crime is Here
We touched on the arrival of more sophisticated AI cybercrime in our last AI news roundup, but the bottom line is what’s long been predicted is finally starting to arrive.
And while Google’s analysis of initial AI-developed malware samples found them to be rudimentary, easy to detect, and fairly ineffective (lacking key capabilities like persistence, lateral movement, or advanced evasion), Anthropic’s profile of large-scale agentic cybercrime deployed by a Chinese state-sponsored group looked far more effective.
Overall, Google Cloud is projecting significant increases in AI-assisted phishing, social engineering, malware development, automated exploitation, and deepfake scams.
It underscores that while AI tools improve defensive automation, they also lower the barriers for attackers.
Nvidia Deepfake Attack Draws Many More Views than the Real Thing
Of course, AI’s most effective and widespread use in cybercrime today comes via social engineering, with improved BEC (and phishing overall) materials, and deepfakes like one that made news during Nvidia’s GPU Technology Conference (GTC).
During the company’s official keynote address, a deepfake was spawned on YouTube and, listing higher in search engines, managed to reach some eight-times more viewers than the real thing. (The deepfake version had 100,000 viewers at one point.)
While the real Nvidia CEO Jensen Huang was announcing a billion-dollar investment in Nokia, the fake Jensen Huang reportedly said he was postponing the talk briefly for “a crypto mass adoption event that ties directly into Nvidia’s mission to accelerate human progress.”
A QR code in the fake livestream led users to a site that would supposedly turn cryptocurrency around for a profit (while actually stealing it).
2025’s Critical Vulnerabilities
The nonprofit MITRE Corporation released their 2025 Common Weakness Enumeration (CWE) top 25 list in December, and you can read the full thing here.
Their top ten:
- Cross-site scripting (for the second straight year)
- SQL injection
- Cross-site request forgery (CSRF)
- Missing authorization
- Out-of-bounds write
- Path traversal
- Use after free
- Out-of-bounds read
- OS command injection
- Code injection
The top four all rose or remained from the year prior.
CISA during the period also warned about the continued use of China-backed BRICKSTORM malware targeting critical infrastructure. Working as a sophisticated backdoor for espionage, it manages network persistence and has been a continued risk for organizations.
Ransomware Trends and Phishing-as-a-Service
Google in November announced a suit against 25 individuals it alleges are part of the Lighthouse scam network (part of the Smishing Triad) that’s targeted millions of Americans and people across 120 nations worldwide.
They utilize a phishing-as-a-service platform (also called Lighthouse) which Google alleges offers weekly, monthly, and annual subscription service to scammers.
The Cybernews in early November reported on a drop of some 2TB of data (employee and client records) reportedly tied to US manufacturing company Gemini Group Inc. The Rhysida gang leaked the data after dropping earlier examples in October, leading researchers to speculate a ransom demand had not been met.
A similar fate may have befallen Japanese beer producer Asahi, whose attack we reported on last time out. In November, the company confirmed that as many as 1.5 million customers may have their data exposed, as well as employee and partner information. The disruption paralyzed the company’s ability to ship its products and took them two months to contain.
In another callback, the NPM package virus named after the massive worms from Dune came back in this period as version 2.0, infecting more than 25,000 GitHub repositories, targeting CI/CD pipelines, and stealing credentials.
Microsoft’s security team details the supply-chain attack in depth on its own blog.
The Data Breaches Worldwide Whirlwind
The Chinese cybersecurity firm KnownSec suffered its own data breach in November, and among the 12,000 documents: correspondence on hacking tools and details on some 80 organizations hackers have stolen information from, including Indian immigration data and South Korean telecom data.
South Korea telecom data breaches were in the news with new disclosures from LG Uplus, the nation’s third major telecom to face a cybersecurity incident this year. They confirmed that attackers accessed internal systems and leaked data tied to some 42,000 customers and 167 employees, with the company still working on their investigation.
TechCrunch, meanwhile, reported that South Korean retail powerhouse Coupang’s CEO Park Dae-jun resigned, taking the blame after their own massive data breach was disclosed.
This leak included personal information for more than half the nation’s population, or some 34 million people. It is now known to have begun in June, but was only detected in November, and at the time linked with just 4,500 accounts.
Conclusion
That concludes our roundup through the middle of December. If your company is in need of experienced cybersecurity experts with the most in-demand skills, talk to PTP.
We have now more than 28 years of excellence in the tech recruiting and consulting business, and love helping companies shore up their defenses onsite or off, with quality nearshore, offshore, or onshore talent.
Start 2026 off with stronger defenses. From everyone at the cybersecurity roundup desk, have a wonderful and safe holiday season!
References
React Server Components crisis escalates as security teams respond to compromises, Cybersecurity Dive
Multiple Threat Actors Exploit React2Shell (CVE-2025-55182), Google Threat Intelligence Group
Denial of Service and Source Code Exposure in React Server Components, React
Washington Post says it is among victims of cyber breach tied to Oracle software, Reuters
Microsoft deploys a fix to Azure cloud service that’s hit with outage, Associated Press
The Cloudflare Outage May Be a Security Roadmap, Krebs on Security
The Cloudflare outage explained: What happened, who was impacted, and what was the root cause?, IT Pro
Admins and defenders gird themselves against maximum-severity server vuln and 5 AI-developed malware families analyzed by Google fail to work and are easily detected, Ars Technica
Cybersecurity Forecast 2026 report, Google Cloud
A deepfake video of Nvidia’s CEO sent thousands of viewers to a crypto scam, PC World
This Is the Platform Google Claims Is Behind a ‘Staggering’ Scam Text Operation and A Simple WhatsApp Security Flaw Exposed 3.5 Billion Phone Numbers, Wired
Ex-CISA head Easterly thinks AI will unalive the cybersecurity industry, Hacking spree continues with Mazda, Canon, and NHS added to the list, LG Uplus joins three major South Korean telecoms hacked this year, Attackers drop terrabytes of US manufacturing giant’s data, The Cybernews
Risky Bulletin: Another Chinese security firm has its data leaked, Risky Biz
Washington Post confirms data breach linked to Oracle hacks and CEO of South Korean retail giant Coupang resigns after massive data breach, Tech Crunch
Asahi says 1.5 million customers’ data potentially leaked in cyber-attack, BBC
