React2Shell exploits continue with large-scale Linux backdoor deployments and cloud credential theft

Building on earlier PeerBlight attacks, Google Threat Intelligence reports exploitation of the React2Shell vulnerability (CVE-2025-55182) by China-nexus clusters and financially motivated actors deploying backdoors and cryptocurrency miners on vulnerable React and Next.js systems.

December 10, 2025 Reported by AI

A critical vulnerability in React Server Components, known as React2Shell and tracked as CVE-2025-55182, is being actively exploited to deploy a new Linux backdoor called PeerBlight. This malware turns compromised servers into covert proxy and command-and-control nodes. Attackers use a single crafted HTTP request to execute arbitrary code on vulnerable Next.js and React applications.

At the NDSS 2025 conference, Hengkai Ye and Hong Hu from The Pennsylvania State University presented a paper on subtle vulnerabilities in Linux systems that reintroduce executable stacks. Their work highlights how developers, including security experts, accidentally disable protections against code injection attacks. The study examines tools and system components to reveal gaps in enforcing write-xor-execute policies.

January 14, 2026 Reported by AI

Security researchers at Check Point have uncovered VoidLink, a sophisticated new Linux malware framework designed to target cloud infrastructures. Written in Zig and linked to Chinese developers, it features over 30 plugins for stealthy reconnaissance, credential theft, and lateral movement. No real-world infections have been observed yet, but its capabilities signal a growing threat to enterprise cloud environments.

Cybercriminals have compromised trusted Linux applications on the Snap Store by seizing expired domains, allowing them to push malware that steals cryptocurrency recovery phrases. Security experts from SlowMist and Ubuntu contributor Alan Pope highlighted the attack, which targets established publisher accounts to distribute malicious updates impersonating popular wallets. Canonical has removed the affected snaps, but calls for stronger safeguards persist.

January 09, 2026 Reported by AI

A security researcher has found that bugs in the Linux kernel often remain undetected for more than two years on average, with some persisting for over two decades. By analyzing 20 years of kernel development, Jenny Guanni Qu uncovered how these flaws quietly affect cloud systems, enterprises, and billions of devices. Her work highlights the challenges of maintaining secure open-source software.