Happy first week back in office. Busy isn't it?
2026 opened with RondoDox botnet operators shipping React2Shell exploits in 30 days. The other current event of note is Trust Wallet's $8.5M theft, which is the first time a supply chain attack of this nature has a confirmed price tag.
Last ISC2 data confirmed what we suspected: 88% of incidents stem from skills gaps, not headcount.
The RondoDox botnet began targeting Next.js servers vulnerable to React2Shell within weeks of the December 3 disclosure. Maximum CVSS severity. Adaptable botnet operators. Production servers exposed before most organizations finished initial assessments. This is what AppSec faces these days.
This isn't a surprise if you've been following the pattern. Last month we covered five China-nexus groups exploiting the same vulnerability across 116,000 systems. This time commodity botnets joined the party.
But boy does this stuff happen fast now. The timeline really tells the story. React2Shell disclosed December 3. Coordinated Adobe ColdFusion campaigns hit Christmas Day. RondoDox weaponization confirmed by January.
Kelly Shortridge, CPO at Fastly, called it "a one click, game over kind of vulnerability." She notes, "We see it basically hitting everyone."
Framework-level vulnerabilities create multiplicative remediation burden with one CVE potentially affecting every application using that framework.
Ten thousand firewalls remain vulnerable to CVE-2020-12812, a five-year-old FortiOS flaw that bypasses two-factor authentication. The patch shipped July 2020. Attackers are still actively exploiting it in January 2026.
This isn't about lazy administrators. Traditional patch management requires downtime windows, extensive testing, and coordination across teams. Operational constraints create delays. CISA's KEV catalog grew 20% to 1,484 entries in 2025, with many linked to ransomware campaigns. It's just a fact today that known, exploited vulnerabilities persist at scale despite patch availability.
The 2025 CVE Data Review is also a reminder of the pace of new vulns too. The research shows 48,185 CVEs published last year, up 21% from 2024.
The researcher's conclusion: "You can't patch everything. Your only move is to ruthlessly prioritize based on exploitability and automate the rest." (and that's what Pixee does for you :)
Trust Wallet lost $8.5 million after hackers used stolen keys to inject malicious code into its Chrome extension. The attack traces back to the Shai-Hulud 2.0 supply chain compromise that exposed GitHub secrets at scale.
This matters because it's the first major financial loss publicly attributed to developer secrets exposure via supply chain attack. Abstract risk became concrete dollars. The same week, GitHub Actions compromise affected 23,000 repositories, GlassWorm distributed trojanized VSCode extensions, and NeoShadow combined JavaScript, MSBuild, and blockchain techniques in a sophisticated multi-stage npm attack.
Attackers are coordinating focus on developer tooling. npm packages. VSCode extensions. GitHub secrets. CI/CD pipelines. Traditional perimeter security doesn't help when developers work with tools and credentials that provide direct paths to production.
ISC2's 2025 workforce study reframes the security staffing challenge. 88% of organizations experienced security incidents due to skills gaps, not insufficient headcount. The bottleneck isn't how many people you have. It's whether limited expertise can scale to threat velocity.
The cost constraint is real. 29% of organizations cannot afford staff with needed skills. 33% lack sufficient budget to adequately staff teams. Meanwhile, 48,185 CVEs shipped in 2025 (115 disclosed daily, up 30% YoY), framework vulnerabilities move to exploitation in weeks, and Daniel Miessler's 2026 predictions forecast AI agents increasingly handling security operations at scale.
Industry consolidation reflects the same thesis. December saw 30 cybersecurity M&A deals, with direct AppSec competitors making strategic acquisitions. When major vendors pay premium multiples for automation capabilities, they're betting on where the category is headed.
The vulnerability explosion tells the story.
• 115 CVEs disclosed daily (22,250+ by mid-2025, up 30% YoY)
• 305,000+ total CVEs in the database
• 245 new entries in CISA's KEV catalog (+20% vs. 2024)
• 45% more legacy vulnerabilities being added, some dating to 2007
48,185 CVEs. 88% of incidents from skills gaps. 29% can't afford the expertise. Hiring isn't the fix. Rethinking how you deploy limited expertise is.
React2Shell (CVE-2025-29927) Affected: Next.js middleware CVSS: 10.0 (Maximum) Status: Actively Exploited Maximum-severity vulnerability in Next.js middleware allowing remote code execution. RondoDox botnet weaponized within weeks of December 3 disclosure. Source
CVE-2020-12812 Affected: FortiOS CVSS: 9.8 (Critical) Status: Actively Exploited Five-year-old FortiOS flaw bypassing two-factor authentication. 10,000+ firewalls remain vulnerable despite patch availability since July 2020. Source
IBM API Connect Auth Bypass Affected: IBM API Connect CVSS: Critical Status: Active Exploitation Likely Critical authentication bypass vulnerability in IBM API Connect affecting enterprise API infrastructure. Source
CVE-2025-61808 Affected: Adobe ColdFusion CVSS: Critical Status: Actively Exploited RCE via ColdFusion Archive deployment. Coordinated exploitation campaign observed during Christmas holiday period. Source
Dolby Android Vulnerability Affected: Android (Dolby component) CVSS: Critical Status: Patched Critical Dolby vulnerability patched in Android January security update. Source
Shai-Hulud 2.0 Impact: $8.5M theft from Trust Wallet Vector: npm package compromise exposing GitHub secrets Status: Ongoing variants detected Source
GlassWorm Impact: Trojanized VSCode extensions targeting Mac users Vector: OpenVSX marketplace distribution Status: Active Source
NeoShadow Impact: Multi-stage npm supply chain attack Vector: JavaScript + MSBuild + blockchain techniques Status: Active Source
GitHub Actions Compromise Impact: 23,000 repositories affected Vector: CI/CD pipeline compromise Status: Remediation ongoing Source
• 48,185 CVEs published in 2025 (+21% YoY)
• 1,484 entries in CISA KEV catalog (+20% in 2025)
• 245 new KEV entries added in 2025
Guardrails Make AI-Assisted Development Safer By Design Why it's worth your time: As AI coding assistants proliferate, this piece establishes that securing AI-generated code requires architectural controls, not just scanning. Essential context for teams adopting GitHub Copilot or similar tools.
2025 Hacking the Cloud: Year in Review Why it's worth your time: Comprehensive retrospective on cloud attack techniques that evolved in 2025. Provides tactical awareness for teams securing cloud-native applications and infrastructure.
IDOR Vulnerabilities Explained: Why They Persist in Modern Applications Why it's worth your time: Insecure Direct Object References remain stubbornly common despite decades of awareness. This deep-dive explains why they persist and what modern prevention looks like.
Cybersecurity Leaders' Resolutions for 2026 Why it's worth your time: CISOs and security leaders share their priorities for the year ahead. Useful benchmark for aligning your Q1 roadmap with industry direction.