In partnership with
⏱️ ≈ 9-minute read
Editor’s Note: React2Shell turned the internet into an accidental stress test this week — and the internet failed. Also: Apple and Google are basically running the world’s largest “You Might Be Targeted by a Nation-State” subscription service and Kohler lied about your poo pics. Fun times. Let’s get into it.
📬 This Week’s Clickables
📌 Big News
React2Shell: From KEV to Cloudflare chaos; Apple & Google blast global spyware alerts
🚨 Can’t Miss
Apache Tika XXE; D-Link exploitation; $4.5B ransomware economy; telemetry overload attacks; FrostBeacon
🤖 AI in Cyber
GhostPenguin; malicious VS Code extensions; AI-driven eCommerce attacks; AI agents; AI-generated ransomware extension
🧪 Strange Cyber Story
Smart toilet camera… not actually end-to-end encrypted
🚨 Big Stories
💥 The React2Shell Domino Effect: From KEV to Global Infrastructure Fallout
Intro:
React2Shell went from “new framework vuln” to “internet-wide incident” in record speed. The chain reaction touched nearly every part of the ecosystem — attackers, defenders, infrastructure providers, and everyone caught in between.
What Happened:
CISA added React2Shell (CVE-2025-55182) to the KEV catalog after confirming active exploitation. Within hours, Chinese-nexus APTs began live attacks, followed by opportunistic scanning from basically every botnet still plugged in. Burp Suite and ActiveScan++ rushed in with new detection modules, but the rapid-fire exploitation hammered providers so hard that Cloudflare’s emergency WAF mitigations triggered a global outage, briefly disrupting up to a quarter of HTTP traffic.
Why It’s Important:
React and Next.js power hundreds of thousands of production apps. A single RCE in the server component layer magnifies across the web stack — and when mitigation itself can break the internet, you learn very quickly where the real fragility lives.
The Other Side:
Web frameworks patch fast. Enterprises… less so. And mitigations aren’t magic force fields — they’re Band-Aids with side effects.
👉 Takeaway:
Patch your React Server Components. Then verify your WAF isn’t going to take your entire org offline trying to “protect” you.
TL;DR:
An app-layer vulnerability turned into a whole-internet problem in under a week.
Further Reading:
CISA React2Shell KEV Notice
Cloudflare Outage + React2Shell
Chinese Exploitation Coverage
In 2024, over 83% of all public CVEs had a working exploit or PoC available within 48 hours of disclosure. (Source: Recorded Future)🌐 A Global Wave of Spyware Alerts: Apple and Google Warn Users in 150+ Countries
Intro:
If your phone buzzed this week, it might not have been a calendar reminder — it might’ve been Apple or Google warning you that a government is trying to hack you.
What Happened:
Apple sent cyber threat notifications to users in 84 countries, warning of suspected state‑sponsored targeting. Google issued its own wave of global alerts, with some activity tied to sophisticated spyware operators. Together, the companies say they’ve now notified users in over 150 countries — effectively running the largest civilian threat‑notification system in the world.
Why It’s Important:
These alerts overwhelmingly hit high‑risk individuals: journalists, activists, enterprise executives, diplomats, and government staff. The scale underscores the normalization of nation‑state surveillance across consumer devices.
The Other Side:
Neither company discloses attacker identities or technical details, leaving recipients with actionable concern… but not much clarity.
👉 Takeaway:
If you receive one of these alerts, treat it like confirmation of a state‑backed threat — because it is.
TL;DR:
Apple and Google are issuing global notifications at unprecedented scale, signaling widespread spyware targeting.
Further Reading:
Apple Threat Notifications
Apple + Google Global Spyware Alerts
Want to get the most out of ChatGPT?
ChatGPT is a superpower if you know how to use it correctly.
Discover how HubSpot's guide to AI can elevate both your productivity and creativity to get more things done.
Learn to automate tasks, enhance decision-making, and foster innovation with the power of AI.
🔥 Can’t Miss
Tika’s new XXE vulnerability affects multiple parser modules and exposes at least 500+ internet-facing deployments. Attackers can steal files or access internal systems via crafted documents. 👉 If your company processes PDFs or documents at scale, assume you’re using Tika somewhere and patch immediately.
A long-known buffer overflow in end-of-life D-Link routers is seeing fresh exploitation. These devices still power countless small offices and remote workers. 👉 Legacy edge hardware is the softest target in your entire fleet.
Financial intelligence data confirms ransomware operators have extracted over $4.5 billion cumulatively, with 2023 hitting a record. 👉 The business model isn’t dying — it’s maturing.
These attacks flood EDR/SIEM pipelines with malformed or deeply nested telemetry, causing silent log drops. 👉 “No alerts” doesn’t mean “no attack.”
A targeted phishing campaign delivering multi‑stage Cobalt Strike payloads into finance and legal orgs. 👉 This is BEC + full compromise in one bundle.
Is Your Ad Spend Really Paying Off?
See how creator-led partnerships can boost sales with Levanta’s Affiliate Ad Shift Calculator.
Get instant insight into potential revenue lift, ROI gains, and efficiency improvements based on your current digital advertising strategy.
Run your numbers to find out how small shifts could drive big results.
🤖 AI in Cyber
AI-driven analysis caught a stealthy Linux backdoor with zero detections across major scanners. 👉 AI is finally helping defenders close detection gaps — not just aiding attackers.
ML-driven bots dramatically increase credential-stuffing and fraud during peak shopping windows. 👉 Seasonal risk is now an algorithmic multiplier.
AI agents are now autonomous privileged users across SaaS, calendars, and data stores. 👉 AI agents aren’t “tools” — they’re identities.
A malicious, AI-generated extension on the official marketplace encrypted local files and uploaded them. 👉 Marketplace supply‑chain risk is now generative‑powered.
🧟♂️ Strange Cyber
🚽 Well, shit: Kohler’s “End-to-End Encrypted” Smart Toilet Camera… Isn’t
Intro:
IoT security has given us plenty of questionable design decisions, but few match the audacity of a toilet camera marketed as “end‑to‑end encrypted.” Spoiler: it wasn’t.
What Happened:
Kohler’s Dekota smart toilet camera promised users that images, yes, those images, were protected with end‑to‑end encryption. Security researchers discovered that the footage was actually decrypted on Kohler’s servers for machine‑learning analysis, meaning Kohler itself was one of the “ends.” The findings spread quickly through privacy and security circles.
Why It’s Important:
This wasn’t just a mislabeled feature—it was a fundamental misunderstanding (or misrepresentation) of encryption standards. Any device capturing highly sensitive biometric or health‑adjacent data and then decrypting it server‑side represents a major privacy liability.
The Other Side:
Kohler claims the processing is necessary for “health insights,” but that still doesn’t excuse inaccurate security claims. Transparency matters, especially when the device involved is… this intimate.
👉 Takeaway:
If a vendor says their hardware is end‑to‑end encrypted, verify it—especially when it’s pointed at your body.
TL;DR:
A toilet camera advertised as E2EE wasn’t E2EE at all. The internet responded exactly how you’d expect.
Further Reading:
PrivacyGuides Analysis
Wired Security News
Enjoying Exzec Cyber? Forward this to one person who cares about staying ahead of attacks
Hate everything you see or have other feedback? Reply back to this email!