React2Shell Hit Botnets and supply chain vulns cost $ | Jan 1-7
Big Picture
Happy first week back in office. Busy isn't it?
2026 opened with RondoDox botnet operators shipping React2Shell exploits in 30 days. The other current event of note is Trust Wallet's $8.5M theft, which is the first time a supply chain attack of this nature has a confirmed price tag.
Last ISC2 data confirmed what we suspected: 88% of incidents stem from skills gaps, not headcount.
React2Shell Moves From Disclosure to Botnet in Weeks
The RondoDox botnet began targeting Next.js servers vulnerable to React2Shell within weeks of the December 3 disclosure. Maximum CVSS severity. Adaptable botnet operators. Production servers exposed before most organizations finished initial assessments. This is what AppSec faces these days.
This isn't a surprise if you've been following the pattern. Last month we covered five China-nexus groups exploiting the same vulnerability across 116,000 systems. This time commodity botnets joined the party.
But boy does this stuff happen fast now. The timeline really tells the story. React2Shell disclosed December 3. Coordinated Adobe ColdFusion campaigns hit Christmas Day. RondoDox weaponization confirmed by January.
Kelly Shortridge, CPO at Fastly, called it "a one click, game over kind of vulnerability." She notes, "We see it basically hitting everyone."
Takeaways
Framework-level vulnerabilities create multiplicative remediation burden with one CVE potentially affecting every application using that framework.
Five Years Later, 10,000 FortiOS Firewalls Still Vulnerable
Ten thousand firewalls remain vulnerable to CVE-2020-12812, a five-year-old FortiOS flaw that bypasses two-factor authentication. The patch shipped July 2020. Attackers are still actively exploiting it in January 2026.
This isn't about lazy administrators. Traditional patch management requires downtime windows, extensive testing, and coordination across teams. Operational constraints create delays. CISA's KEV catalog grew 20% to 1,484 entries in 2025, with many linked to ransomware campaigns. It's just a fact today that known, exploited vulnerabilities persist at scale despite patch availability.
Takeaways
The 2025 CVE Data Review is also a reminder of the pace of new vulns too. The research shows 48,185 CVEs published last year, up 21% from 2024.
The researcher's conclusion: "You can't patch everything. Your only move is to ruthlessly prioritize based on exploitability and automate the rest." (and that's what Pixee does for you :)
Trust Wallet's $8.5M Loss Puts a Dollar Figure on Supply Chain Risk
Trust Wallet lost $8.5 million after hackers used stolen keys to inject malicious code into its Chrome extension. The attack traces back to the Shai-Hulud 2.0 supply chain compromise that exposed GitHub secrets at scale.
This matters because it's the first major financial loss publicly attributed to developer secrets exposure via supply chain attack. Abstract risk became concrete dollars. The same week, GitHub Actions compromise affected 23,000 repositories, GlassWorm distributed trojanized VSCode extensions, and NeoShadow combined JavaScript, MSBuild, and blockchain techniques in a sophisticated multi-stage npm attack.
Takeaways
Attackers are coordinating focus on developer tooling. npm packages. VSCode extensions. GitHub secrets. CI/CD pipelines. Traditional perimeter security doesn't help when developers work with tools and credentials that provide direct paths to production.
% of Security Incidents Stem From Skills Gaps, Not Headcount
ISC2's 2025 workforce study reframes the security staffing challenge. 88% of organizations experienced security incidents due to skills gaps, not insufficient headcount. The bottleneck isn't how many people you have. It's whether limited expertise can scale to threat velocity.
The cost constraint is real. 29% of organizations cannot afford staff with needed skills. 33% lack sufficient budget to adequately staff teams. Meanwhile, 48,185 CVEs shipped in 2025 (115 disclosed daily, up 30% YoY), framework vulnerabilities move to exploitation in weeks, and Daniel Miessler's 2026 predictions forecast AI agents increasingly handling security operations at scale.
Industry consolidation reflects the same thesis. December saw 30 cybersecurity M&A deals, with direct AppSec competitors making strategic acquisitions. When major vendors pay premium multiples for automation capabilities, they're betting on where the category is headed.
The vulnerability explosion tells the story.
• 115 CVEs disclosed daily (22,250+ by mid-2025, up 30% YoY)
• 305,000+ total CVEs in the database
• 245 new entries in CISA's KEV catalog (+20% vs. 2024)
• 45% more legacy vulnerabilities being added, some dating to 2007
Takeaways
48,185 CVEs. 88% of incidents from skills gaps. 29% can't afford the expertise. Hiring isn't the fix. Rethinking how you deploy limited expertise is.