SoundCloud confirms a breach affecting an estimated 20% of users, resulting in stolen email addresses. The company is dealing with follow-up DoS attacks by unnamed attackers while media reports allege involvement of ShinyHunters.

Audio streaming giant SoundCloud announced on Monday that it has become the target of a security breach in which hackers managed to access limited user data. This news follows a period of service issues that left many users unable to access the platform, particularly those using it via VPNs.

****User Data Compromised****

SoundCloud has confirmed that the unauthorised activity was discovered in an “internal service system dashboard,” which is basically a supporting component. The company quickly shut down the access and immediately hired a leading third-party cybersecurity firm to assist with the investigation and response.

According to reports, the breach affected an estimated 20% of their community, which could be millions of accounts (approx. 28 million), given the platform’s large global network and reach.

The data possibly accessed included user email addresses and information that was already visible on users’ public SoundCloud profiles. However, SoundCloud has emphasised that no sensitive financial data, passwords, or payment details were stolen. The company stated they are confident that all unauthorised access to their data has been shut down.

“SoundCloud recently detected unauthorised activity in an ancillary service dashboard. Upon making this discovery, we immediately activated our incident response protocols and promptly contained the activity,” SoundCloud’s official statement reads.

What we’ve learned so far is that the notorious cyber extortion group ShinyHunters is reportedly responsible for the attack, as per Bleeping Computer’s source. While SoundCloud has not officially named the attackers and referred to them as a “purported threat actor group,” media reports suggest ShinyHunters is pressuring the company to pay them for not leaking the stolen data.

“We understand that a purported threat actor group accessed certain limited data that we hold. We have completed an investigation into the data that was impacted, and no sensitive data (such as financial or password data) has been accessed,” the company stated.

****Disruption and Follow-Up Attacks****

Before the breach was made public, many users, especially those in countries like Russia, mainland China, and Turkey, where the service is blocked and requires a VPN for access, reported connection failures and “403 Error” messages.

SoundCloud clarified in a post on X (formerly Twitter) that these temporary issues were an unfortunate side effect of their immediate security response, as they implemented new configuration changes to strengthen their systems. The company is actively working to resolve these access problems.

Source: X.com (@SCsupport)

Following the initial containment of the breach, the platform faced multiple denial-of-service (DoS) attacks. For your information, a DoS attack is when a system is flooded with so much traffic that it is overwhelmed and temporarily goes offline, making the service unavailable for normal users.

SoundCloud states that two of these attacks managed to temporarily disrupt web access, though the platform remains available via its apps and website now. The audio giant is recommending that all users remain alert about possible phishing attempts, as these often follow data breaches. Also, changing your passwords and enabling two-factor authentication is a great idea for added security.

SoundCloud Hit by Cyberattack, Breach Affects 20% of its Users

Amazon Threat Intelligence reports Russian GRU hackers are increasingly breaking into critical infrastructure by abusing misconfigured devices instead of exploiting software vulnerabilities.

Russian state-sponsored threat actors linked to the GRU (Glavnoye Razvedyvatelnoye Upravleniye, or Main Intelligence Directorate) are increasingly breaching into critical infrastructure networks by exploiting basic configuration mistakes rather than software vulnerabilities, according to new research from Amazon Threat Intelligence.

Amazon attributes the activity with high confidence to Sandworm, also tracked as APT44 and Seashell Blizzard. The campaign has targeted energy providers and other critical infrastructure organisations across North America and Europe since at least 2021. Amazon also identified infrastructure overlap with a group Bitdefender tracks as Curly COMrades, which appears to handle post-compromise activity.

Between 2021 and 2024, the attackers frequently relied on exploiting known and zero-day vulnerabilities to gain access. Amazon observed exploitation of flaws in WatchGuard firewalls, Atlassian Confluence, and Veeam backup software. In 2025, that activity declined sharply and was replaced by sustained targeting of misconfigured network edge devices.

The attackers focused on enterprise routers, VPN gateways, and network management appliances with exposed or poorly secured management interfaces. Many of these devices were customer-owned appliances running in cloud environments, including on AWS. Amazon stated the activity was caused by customer misconfiguration rather than weaknesses in AWS infrastructure.

After gaining access, the group harvested user credentials and later attempted to reuse them against victim organisations’ online services. Amazon assessed that credentials were likely collected through passive traffic interception using packet capture features on compromised devices. Subsequent credential replay attempts targeted collaboration platforms, source code repositories, and telecom services.

The campaign maintained a strong focus on the energy sector and its supply chain, including electric utilities, managed service providers, and supporting technology firms. Targeting was observed globally, with activity across North America, Europe, and the Middle East.

According to a blog post by CJ Moses, the CISO of Amazon, the company also documented long-term use of compromised legitimate servers as proxy infrastructure. The company cautioned that listed indicators of compromise should be investigated in context rather than blocked outright, as the systems may still host legitimate services.

Security professionals say the findings highlight a deliberate move toward lower-risk access methods. Chrissa Constantine, Senior Cybersecurity Solution Architect at Black Duck, said misconfigured edge devices and weak identity controls provide reliable access that blends in with normal administrative activity and is harder to detect.

Shane Barney, Chief Information Security Officer at Keeper Security, said the activity reinforces the value of basic security practices. He advised organisations to prioritise routine audits of network edge devices, eliminate exposed management interfaces, and monitor for unusual administrative access. He also warned that credential replay remains a primary risk once edge devices are compromised.

Amazon urged organisations to audit network edge devices, review authentication logs for credential reuse, and monitor administrative access from unexpected locations. For AWS environments, the company recommended restricting security group access, isolating management interfaces, enabling logging and threat detection services, and regularly scanning instances for exposure.

Amazon: Russian GRU hackers favor misconfigured devices over vulnerabilities

A critical vulnerability (CVE-2025-34352) found by XM Cyber in the JumpCloud Remote Assist for Windows agent allows local users to gain full SYSTEM privileges. Businesses must update to version 0.317.0 or later immediately to patch the high-severity flaw.

A major security problem has been found in the JumpCloud Remote Assist for Windows agent, a tool used by over 180,000 organisations across 160 countries to manage their computers. This issue could allow a regular user on a company machine to take full, persistent control of that device.

The critical vulnerability, tracked as CVE-2025-34352, was found by security researcher Hillel Pinto at the firm XM Cyber. It has been given a High severity rating, with a CVSS v4.0 score of 8.5 out of 10.

****High-Risk Vulnerability Explained****

The problem lies in how the Remote Assist agent removes itself from a computer. When the main JumpCloud Agent uninstalls, it runs this cleanup process with the highest privileges available on a Windows machine, NT AUTHORITY\\SYSTEM. As we know it, a program running with these permissions has full, unrestricted control over the computer.

According to XM Cyber’s research blog, also authored by Hillel Pinto, the agent makes a critical mistake by performing file operations like writing or deleting files in a user’s temporary folder. This folder is a location that a standard, low-privileged user on the machine can control.

****Agent Becomes the Attacker’s Tool****

Researchers noted that the flaw makes the security tool itself a gateway for attack. An ordinary user on the compromised machine can trick the highly privileged uninstaller process into deleting or overwriting sensitive system files, rather than its own temporary files.

This vulnerability is immediately exploitable, which means a malicious local user could instantly achieve one of two outcomes:

*   Local Privilege Escalation (LPE): Gaining the highest level of access (SYSTEM) to the endpoint. Pinto noted that an exploit against this agent translates directly into “full, persistent control over the endpoint.”

*   Denial of Service (DoS): Causing the machine to crash completely.

****Urgent Update Required****

The security flaw is due to what researchers called a “known security pitfall,” where a privileged process interacts with a user-controlled directory.

Upon finding this flaw, the Pinto and his team followed a responsible disclosure process and notified JumpCloud. In response, the company confirmed the findings and has since released a fix. The fix addresses the main problem by correcting the way the privileged process handles files in user-controlled folders. It is advised that all organisations using the affected software must update immediately to version 0.317.0 or later to patch the issue.

Regarding this vulnerability discovery, Jim Routh, Chief Trust Officer at Saviynt, shared this comment with Hackread.com, stating, “This vulnerability is ‘eye candy’ for threat actors as it offers an approach to obtain privileged access over MS Windows devices at scale, covering over 180,000 enterprises.”

For business, Routh advised that “Enterprises have an opportunity to upgrade their privileged user management (PAM) system capabilities beyond password vaulting to include continuous validation of activity compared with an established pattern that operates in real time.

“Continuous validation capabilities can be built or bought as products today. Most PAM providers don’t offer continuous validation yet, but will in the near future. A mature PAM capability will reduce the risk of this threat tactic and vulnerability having a significant impact on an enterprise,” he emphasised.

JumpCloud Remote Assist Flaw Lets Users Gain Full Control of Company Devices

Frankfurt am Main, Germany, 16th December 2025, CyberNewsWire

**Frankfurt am Main, Germany, December 16th, 2025, CyberNewsWire**

Link11, a European provider of web infrastructure security solutions, has released new insights outlining five key cybersecurity developments expected to influence how organizations across Europe prepare for and respond to threats in 2026. The findings are based on analysis of current threat activity, industry research, and insights from the Link11 European Cyber Report, alongside broader market indicators such as PwC’s Global Digital Trust Insights 2026.

Cybersecurity is entering uncharted territory as the global threat landscape evolves at high speed. Geopolitical instability, fractured supply chains, and rapid advances in artificial intelligence are reshaping how cyber operations are conducted. According to PwC’s Global Digital Trust Insights 2026, geopolitical uncertainty has become one of the strongest drivers of increased cybersecurity investment, while many organizations continue to underinvest in proactive measures such as monitoring, testing, and hardening. These conditions leave critical gaps that increasingly sophisticated attackers are able to exploit.

Against this backdrop, Link11 has identified five developments expected to define the cybersecurity environment for European organizations in the year ahead.

**Five Key Cybersecurity Trends for 2026**

**1\. DDoS Attacks Will Increasingly Be Used as Diversion Tactics**

Link11 expects a marked rise in DDoS attacks in 2026. These attacks will not primarily be launched to disrupt services, but rather to draw attention away from more damaging activities occurring simultaneously. While IT teams are focused on keeping systems online, attackers may exploit the distraction to infiltrate networks, steal sensitive data, or deploy covert malware. These hybrid operations often remain undetected until long after the initial DDoS wave has been mitigated. For European organizations, this underscores the need for incident response frameworks that treat any DDoS alert as a potential precursor to a broader, multi-vector intrusion.

**2\. API-First Architectures Increase Exposure to Misconfigurations and Business Logic Abuse**

APIs will continue to be the backbone of Europe’s digital services, including financial platforms, e-commerce, and public-sector portals. As they grow in number and complexity, improperly secured or undocumented APIs are becoming one of the most attractive entry points for threat actors. These attackers exploit weaknesses through automated scraping, credential-stuffing campaigns, or by targeting high-value endpoints designed for critical business operations. In 2026, organizations that rely on large ecosystems of internal and external APIs will face rising risks of data leakage, process manipulation, and unauthorized access.

**3\. Integrated WAAP Platforms Overtake Fragmented Web Security Architectures**

Traditional, siloed web security tools – such as separate web application firewalls (WAFs), standalone distributed denial-of-service (DDoS) filters, and isolated bot management systems – are no longer adequate against multi-layer attacks. The shift toward consolidated web application and API protection (WAAP) platforms will accelerate across Europe in 2026. By correlating signals across protection layers, integrated WAAP systems can detect subtle anomalies and block sophisticated attacks that single-layer solutions would miss. This architectural convergence is essential for organizations operating in hybrid cloud environments or managing large-scale digital platforms.

**4\. AI-Driven DDoS Mitigation Becomes Essential Against Hyper-Scale Attacks**

DDoS attacks have evolved dramatically in terms of both scale and complexity. Massive IoT botnets and automated infrastructures can generate near-instantaneous traffic spikes, so rule-based mitigation is insufficient. By 2026, effective protection will depend on AI and behavioral analysis to distinguish legitimate traffic from dynamic attack patterns, enabling autonomous mitigation in milliseconds. To maintain service availability and reduce operational disruptions, European organizations will increasingly adopt AI-first DDoS defenses.

**5\. Regulatory Pressure Intensifies as Cybersecurity Oversight Expands Across Europe**

Regulatory frameworks such as NIS2 and DORA, as well as emerging national requirements, will impose strict expectations on businesses operating in the European market. Organizations must prepare for rapid breach reporting obligations, often within 24 to 72 hours, and significantly heightened scrutiny of supply chain security. Additionally, governments are moving toward stronger accountability for software vendors through Secure-by-Design mandates and mandatory Software Bills of Materials (SBOMs). For many organizations, compliance will evolve from an annual task to an integral operational practice.

**A More Complex Threat Landscape Requires Unified Defenses**

Jens-Philipp Jung, the CEO of Link11, emphasizes the broader implications:

> “In 2026, we expect DDoS attacks to be used far more often as smokescreens for deeper, more damaging intrusions.” This is not just an organizational risk; it is a systemic challenge affecting the availability and integrity of digital services across Europe. Strengthening resilience will require a coordinated approach involving awareness, knowledge sharing, and adoption of integrated, AI-driven security platforms.”

**About Link11**

Link11 is a specialized European IT security provider that protects global infrastructures and web applications from cyberattacks. Its cloud-based IT security solutions help companies worldwide strengthen the cyber resilience of their networks and critical applications to avoid business interruptions. Link11 is a BSI-qualified provider of DDoS protection for critical infrastructure. With PCI DSS, SOC 2 Type II, and ISO 27001 certifications, the company meets the highest standards in data security. 

**Contact**

**Lisa Froehlich**  
**Link11 GmbH**  
**\[email protected\]**

Link11 Identifies Five Cybersecurity Trends Set to Shape European Defense Strategies in 2026

US auto loan service 700Credit confirms a data breach exposed names, addresses, and Social Security numbers of dealership customers. Free credit monitoring is offered.

A major security breach has affected 700Credit, a Michigan, US-based Fintech and data services company that assists auto, RV, powersports, and marine dealerships across the nation with consumer financing options. The company, through its breach notice, stated that an “unauthorised access” event led to the copying of certain customer records.

****Timeline of the Breach and the Stolen Data****

700Credit first discovered unusual activity within its web application around October 25, 2025. The company immediately launched an investigation with third-party computer forensic specialists. The probe revealed the incident was not a brief event because personal data was stolen over five months, taken from dealer records between May and October 2025.

The breach is massive; as per the company’s breach notification filed with the Office of the Maine Attorney General, at least 5.6 million people across the country have had their personal information exposed. The unauthorised access allowed cybercriminals to steal data collected from the company’s client base of approximately 18,000 dealerships.

The personal information compromised in this incident varies for each individual, but it unfortunately includes sensitive identity details, including name, address, date of birth, and Social Security number.

The company has clarified that they are providing this notice out of an abundance of caution, and they currently have no evidence of any fraud occurring directly as a result of this event.

****Company’s Swift Response****

700Credit acted quickly to respond, confirming the incident was limited to the application layer and did not affect its internal network. They began notifying dealership clients on November 21, 2025, and is now informing all affected consumers.

This notification process includes the 19,225 Maine residents who will begin receiving their written notices around December 22, 2025, on behalf of the dealerships. 700Credit also made timely reports to the FBI and the Federal Trade Commission (FTC).

****Steps for Affected Individuals****

To help consumers potentially affected by this event, 700Credit is offering twelve months of complimentary credit monitoring services through TransUnion (Cyberscout). Individuals must enrol themselves using the instructions provided in their notification letter.

The company is strongly urging affected individuals. which includes over 160,000 in Michigan alone, to take immediate protective steps. This means staying alert to phishing emails and identity theft by routinely monitoring credit reports and account statements. 700Credit is also providing specific guidance on how to place a fraud alert or security freeze on one’s credit file.

****Expert Analysis on the Security Failure****

Commenting to Hackread.com, Chris Hauk, Consumer Privacy Champion at Pixel Privacy, shared his thoughts on the breach and what consumers should do next, stating, _“_Any individuals affected by the breach need to stay alert for any new accounts being opened up in their name. The information stolen includes four of the basic bits of information you need to open a new account. If at all possible, I would definitely take advantage of the credit monitoring and identity protection being offered to victims._“_

700Credit Data Breach Impacts Millions of Car Owners

A GitHub repository posing as a vulnerability scanner for CVE-2025-55182, also referred to as “React2Shell,” was exposed as…

A GitHub repository posing as a vulnerability scanner for CVE-2025-55182, also referred to as “React2Shell,” was exposed as malicious after spreading malware. The project, named React2shell-scanner, was hosted under the user niha0wa and has since been removed from the platform following community reports.

Saurabh, a cybersecurity researcher, flagged the now-deleted tool on LinkedIn last week after identifying suspicious behaviour in the code. According to his post, the script included a hidden payload designed to execute mshta.exe and fetch a remote file from py-installer.cc, a known technique used to drop second-stage malware.

Looking at the script confirms the warning. The malware was embedded within react2shellpy.py, where a section of base64-encoded strings was decoded into a PowerShell command.

The malware targeted Windows devices by using mshta.exe, a legitimate Windows tool often abused to run malicious scripts, pointing to a malicious custom script hosted on GitHub. The script appeared to execute without prompting the user or raising suspicion.

Screenshot of the fake React2Shell (CVE-2025-55182) scanner script hosted on GitHub (Image credit: Saurabh via LinkedIn)

The scanner was aimed at security professionals investigating CVE-2025-55182, presented as something helpful rather than harmful. By posing as a legitimate security utility, it turned normal research activity into an entry point for compromise, putting cybersecurity researchers at risk.

It is worth noting that this came just days after reports showed hackers hiding new PyStoreRAT malware inside utility tools on GitHub, specifically targeting OSINT and cybersecurity researchers.

While GitHub acted quickly and removed the repository, the incident goes on to show that code shared under the banner of cybersecurity tools needs to be reviewed with caution. Simply put, no tool should be trusted blindly just because it’s hosted on a familiar platform.

Saurabh’s full warning can be found here. He urged security professionals to review source code thoroughly before executing any third-party tools, especially those claiming to assist in vulnerability detection.

While the malicious script has been taken down, cached copies or forks may still circulate. Researchers analysing CVE-2025-55182 or similar high-interest vulnerabilities should stay alert for fake exploit tools, especially those with obfuscated code, network callbacks or unclear authorship.

GitHub Scanner for React2Shell (CVE-2025-55182) Turns Out to Be Malware

Cybersecurity researchers discovered an unsecured 16TB database exposing 4.3 billion professional records, including names, emails, and LinkedIn data. Learn what happened, why this massive data leak enables new scams, and how to protect your PII.

In a major event that should make every professional pause and worry about their online privacy, cybersecurity researcher Bob Diachenko, working with nexos.ai, recently discovered an unprotected MongoDB database on November 23, 2025. This enormous collection, totalling around 16 terabytes (TB) of data, was left wide open online, shockingly exposing 4.3 billion professional records that criminals could easily use for targeted attacks.

For your information, MongoDB is a popular type of database widely used by businesses to store large amounts of data. According to Diachenko, the database was secured just two days later after they alerted the owner, but it is impossible to know who might have accessed it beforehand.

****The Discovery and Data Details****

Further investigation by the Cybernews team revealed that the dataset contained nine separate sections, or “collections,” with names like “profiles,” “people,” and “unique\_profiles.” At least three of these collections exposed nearly 2 billion personal records.

The exposed details comprised Personally Identifiable Information (PII), including full names, email addresses, phone numbers, job roles, employment history, education, and links to professional platforms like LinkedIn.

The “unique\_profiles” collection alone held over 732 million records with photographs. Researchers also found that the “people” collection included metrics and IDs tied to the Apollo.io network.

“According to our researchers, all records within a specific collection are unique. However, there could be duplicates between different collections within the exposed dataset,” Cybernews researchers explained.

Researchers noted that the total volume and organisation of the data strongly point to it being gathered from various sources, a common practice called scraping, possibly including previous leaks from as far back as 2021.

Exposed database (Source: Cybernews)

****Who Owns the Data and Why It’s Dangerous****

While the ultimate owner remains unconfirmed, further probing revealed strong clues. The database included web links suggesting it belonged to a lead-generation company (a firm that helps businesses find potential customers and has access to hundreds of millions of professionals), which closely matches the count of records found in the leaked collection.

“However, the team reserves the right not to attribute the leak to the company. There is a chance that the company’s presence in the leak points to its databases being scraped by the real owner of the data,” Cybernews researchers noted.

The primary danger here is that such large, structured datasets are a gold mine for criminals. With this level of detail, malicious actors can automate highly personalised scams, such as phishing (tricking people into giving up information) or even CEO fraud (impersonating a top executive), that are generally much harder for people to spot.

Researchers conclude that these records could be a strong base for cybercriminals to create extensive, searchable databases that could simplify attacks on high-value targets, including employees at major companies. Therefore, professionals must always use strong and unique passwords with two-factor authentication (2FA) enabled, and keep software updated to fix security weaknesses.

Here’s the full breakdown of the number of records in all 9 collections.

*   people – 169,061,357 docs (3.95 TB)
*   profiles – 1,135,462,992 docs (5.85 TB)
*   sitemap – 163,765,524 docs (20.22 GB)
*   intent – 2,054,410,607 docs (604.76 GB)
*   companies – 17,302,088 docs (72.9 GB)
*   intent\_archive – 2,073,723 docs (620 MB)
*   address\_cache – 8,126,667 docs (26.78 GB)
*   unique\_profiles – 732,412,172 docs (5.63 TB)
*   company\_sitemap – 17,301,617 docs (3.76 GB)

16TB of MongoDB Database Exposes 4.3 Billion Lead Gen Records

New report by Unit 42 reveals the Hamas-linked Ashen Lepus (WIRTE) group is using the AshTag malware suite to target Middle Eastern diplomatic and government entities with advanced, hidden tactics.

A cyber-espionage group known as Ashen Lepus has been actively using a new set of malicious tools called AshTag to attack government and diplomatic offices across the Middle East, according to a recent report by the cybersecurity firm Palo Alto Networks’ Unit 42. This group, which has been linked to Hamas and is also tracked under the name WIRTE, has been, reportedly, conducting intelligence-gathering campaigns since 2018.

****A Relentless Spying Campaign****

Researchers noted that, unlike other similar groups whose activity slowed down during the Israel-Hamas conflict, Ashen Lepus “remained persistently active” and continued its operations even after the October 2025 Gaza ceasefire.

Initially, researchers observed the group focused on countries geographically close to the Palestinian Territories, such as the Palestinian Authority, Egypt, and Jordan. However, further investigation revealed a notable expansion in their targets, now including Oman and Morocco.

Regarding the attack method, the report reveals that the hackers rely on documents disguised as news or reports about Middle Eastern geopolitical affairs to trick their victims and distribute them via file-sharing services.

These themes, sometimes referencing the League of Arab States or the UN Security Council, are delivered via an initial “benign PDF file” that guides targets to a file-sharing service to download the actual malicious file. Lately, their bait has included more subjects related to Turkey and its relationship with the Palestinian administration.

****AshTag Malware Analysis and Attack Chain****

The new AshTag malware suite, the core element of this campaign, is designed to steal files and remotely run commands on a victim’s computer. The infection begins when the initial lure leads the target to download a compressed RAR archive, which contains three main components: a fake document, a malicious background program (a loader), and a separate, harmless PDF named Document.pdf.

Lure sample

When the victim opens the fake document, the malicious loader is quietly launched in the background, which then instantly displays Document.pdf. This clever move makes the target believe they successfully opened the file while the actual malware, which Unit 42 calls AshenOrchestrator, is loaded unseen.

It is worth noting that the group is becoming better at hiding its activity. They disguise the malware’s communication to look like normal internet traffic, for example, by using innocent-sounding website addresses like api.healthylifefeed.com.

Furthermore, the attackers are running their malicious software directly inside the computer’s memory (in-memory execution), which helps them avoid leaving behind evidence that security tools usually look for.

Full infection chain (Source: Unit 42)

This effort to improve operational security helps them evade detection. Once the AshTag malware successfully infiltrates a system, the hackers engage in “hands-on data theft,” accessing specific diplomacy-related documents, often from the victim’s email accounts, before stealing them. Organisations in the Middle East, especially those in the governmental and diplomatic sectors, are urged to remain aware of this continuous and evolving threat.

Hamas Linked Hackers Using AshTag Malware Against Diplomatic Offices

South Korean e-commerce giant Coupang faces intense scrutiny after CEO Park Dae-jun resigns over a data breach that exposed 33.7 million customer accounts. Read about the police raids, US lawsuit, and regulatory orders from PIPC.

The fallout from a massive customer data breach at South Korean e-commerce leader Coupang continues, with CEO Park Dae-jun announcing his resignation on Wednesday, December 10, over the incident. Mr. Park stated, “I deeply apologize for disappointing the public over the recent data breach,” and explained he decided to step down from all his positions to take full responsibility.

****Scale of the Breach****

As per Hackread.com’s earlier coverage of the incident, the leak affected 33.7 million customer accounts, a number equal to nearly two-thirds of South Korea’s total population. Coupang, which is facing a class-action lawsuit in the United States, has stated that the breach began through its overseas servers on June 24 and that the company became aware of the incident last month.

The exposed personal information includes customer names, phone numbers, email addresses, and delivery addresses. Please note that the company has repeatedly stated that sensitive data like payment details and login passwords were not compromised. The company initially reported only 4,500 affected accounts on November 20 before confirming the massive scale on November 29.

****Latest Updates****

The police have intensified their investigation, raiding Coupang’s Seoul headquarters twice this week to collect evidence. What we have learned so far is that authorities have issued a search warrant for a former Chinese national who worked for Coupang as a suspect in violating communications network laws and leaking confidential data.

Coupang Inc., the US-based parent company, has named Harold Rogers, its Chief Administrative Officer and General Counsel, as the interim CEO for the South Korean unit. Mr. Rogers will focus on managing the crisis and restoring trust, saying, “I know this situation has been unsettling for many.”

South Korea’s privacy watchdog, the Personal Information Protection Commission (PIPC), has also taken action. The PIPC ordered Coupang to revise its terms of service, which included a clause attempting to remove the company’s responsibility for harm from unauthorized third-party access.

Additionally, the regulator criticised Coupang for making its membership cancellation process too difficult for users. The presidential office has also called on the company to outline plans to compensate affected consumers. This incident adds to a series of recent data issues involving major Korean companies, raising serious questions about security practices.

Coupang CEO Steps Down After Data Breach Hits 33.7 Million Users

Torrance, United States / California, December 12th, 2025, CyberNewsWire In December 2025, CVE-2025-55182 (React2Shell), a vulnerability in React…

**Torrance, United States / California, December 12th, 2025, CyberNewsWire**

In December 2025, CVE-2025-55182 (React2Shell), a vulnerability in React Server Components (RSC) that enables remote code execution (RCE), was publicly disclosed. Shortly after publication, multiple security vendors reported scanning activity and suspected exploitation attempts, and CISA has since added the flaw to its Known Exploited Vulnerabilities (KEV) catalog.

React2Shell is not tied to a specific framework; rather, it stems from a structural weakness in the RSC feature that affects the broader React ecosystem. This article examines the technical foundation of React2Shell, the exposure landscape of services using RSC, observed attacker activity, and the defensive strategies organizations should adopt.

****React2Shell Vulnerability Overview: A Structural Flaw Allowing RCE Without Authentication****

CVE-2025-55182 is caused by a validation flaw in the deserialization process of the Flight protocol, which React Server Components use to exchange state between the server and client. An attacker can achieve RCE simply by sending a crafted payload to the Server Functions endpoint without authentication, and because a PoC is already publicly available, the vulnerability is highly susceptible to automated attacks.

The impact extends to all services that use RSC, and because frameworks such as Next.js, React Router RSC, Waku, Vite RSC Plugin, Parcel RSC Plugin, and RedwoodJS share the same underlying structure, the broader React ecosystem is collectively exposed.

The official patch is available in react-server-dom-\* packages version 19.0.1 / 19.1.2 / 19.2.1 or later, and the vulnerability is rated CVSS 10.0, indicating critical severity.

****Exposure Analysis of React2Shell-Affected Assets Using Criminal IP****

React2Shell is difficult to detect using traditional product banners or HTML content alone. React-based services are designed so that RSC components are not externally exposed, and frameworks like Next.js, which vendor React modules internally, make it even harder to identify the underlying technology stack. As a result, simple banner-based detection methods cannot reliably determine whether RSC is enabled or whether a service is exposed to this vulnerability.

In real-world environments, the most reliable detection method is to identify systems based on their HTTP response headers, and servers with RSC enabled consistently exhibit the following values.

Criminal IP Search Query: “Vary: RSC, Next-Router-State-Tree” 

Users can detect RSC-enabled servers in the United States using Criminal IP by applying queries based on these header patterns.

Criminal IP Search Query: “Vary: RSC, Next-Router-State-Tree” country: “US”

According to the Criminal IP Asset Search results, the query “Vary: RSC, Next-Router-State-Tree” country: “US”  identified a total of 109,487 RSC-enabled assets. This header pattern indicates that RSC is active on these servers. While it does not mean that all of them are vulnerable, it is a critical indicator of the large-scale exposure surface that exists.

When examining the analysis results for a specific asset in Criminal IP, the server was found to have ports 80 and 443 exposed externally, and its response headers, SSL certificate details, vulnerability list, and Exploit DB associations could all be reviewed in a single unified page. In this asset, indicators relevant to React2Shell were identified alongside other critical vulnerabilities, including CVE-2023-44487 (HTTP/2 Rapid Reset), which has been widely abused in large-scale DDoS attacks.

This demonstrates how Criminal IP Asset Search provides multiple analysis layers that help assess whether an environment is realistically exploitable by attackers.

****Security Mitigation Strategies****

**1\. Immediate Update of React-Related Packages**

Organizations should immediately update all React-related packages to their latest patched releases. The react-server-dom-webpack package must be upgraded to version 19.0.1, 19.1.2, or 19.2.1, while react-server-dom-parcel and react-server-dom-turbopack should be updated to version 19.0.1 or later to ensure they are protected from the vulnerability.

**2\. Verify Patch Availability for Each Framework**

React RSC is used across multiple frameworks, including Next.js, Vite, Parcel, and RedwoodJS. Notably, Next.js vendors RSC internally, meaning that updating React packages alone may not automatically apply the fix. Therefore, it is essential to review each framework’s official security advisories or release notes and upgrade to the version in which the vulnerability has been addressed.

**3\. Minimize External Exposure of RSC Endpoints**

Whenever possible, restrict access using a reverse proxy, WAF or authentication gateway.

**4\. Leverage Criminal IP for Monitoring**

*   Monitor exposure of RSC-related header
*   Automatically block malicious scanning IPs
*   Detect scanning attempts based on TLS fingerprints
*   Check for vulnerability presence and associated Exploit DB entries

****The Analysis’s** **Conclusion****

React2Shell (CVE-2025-55182) is a critical vulnerability affecting the most widely used React-based services across the web ecosystem. With low exploitation complexity and publicly available PoCs, active attacks are spreading rapidly.

According to Criminal IP analysis, approximately 110,000 RSC-enabled services in the United States are exposed, underscoring the substantial risk of widespread exploitation. In addition to applying patches, identifying exposed RSC services and conducting real-time monitoring are essential components of an effective React2Shell response strategy. Criminal IP provides one of the most effective tools for accurately mapping this attack surface and strengthening defensive measures.

In relation to this, users can refer to Next.js Middleware Vulnerability Allows Authentication Bypass: Over 520K Assets at Risk. 

****About Criminal IP****

Criminal IP is the flagship cyber threat intelligence platform developed by AI SPERA. The platform is used in more than 150 countries and provides comprehensive threat visibility through enterprise security solutions such as Criminal IP ASM and Criminal IP FDS.

Criminal IP continues to strengthen its global ecosystem through strategic partnerships with Cisco, VirusTotal and Quad9. The platform’s threat data is also available through major US data warehouse marketplaces, including Amazon Web Services (AWS), Microsoft Azure and Snowflake. This expansion improves global access to high-quality threat intelligence from Criminal IP.

****Contact****

**Michael Sena**

**AI SPERA**

**\[email protected\]**

Source

HackRead