Top stories.
- Threat actors exploit maximum-severity React flaw.
- US and Canadian intelligence agencies outline Chinese malware campaign.
- Twin brothers arrested in Virginia for allegedly stealing and destroying government data.
Threat actors exploit maximum-severity React flaw.
Researchers at AWS warn that multiple Chinese threat actors began exploiting a maximum-severity vulnerability (CVE-2025-55182) affecting React Server Components within hours of its disclosure on Wednesday. The vulnerability, tracked as "React2Shell," "unsafely deserializes payloads from HTTP requests to Server Function endpoints," enabling unauthenticated remote code execution. Working exploits for the flaw are now available on GitHub. Researchers at Wiz estimate that 39% of cloud environments contain vulnerable instances of React and Next.js, and users are urged to apply patches immediately.
AWS has seen exploitation of the flaw from infrastructure tied to China's Earth Lamia and Jackpot Panda, as well as shared anonymization networks used by other China-linked threat actors. Additional threat actors are likely targeting the vulnerability now that exploits are publicly available.
US and Canadian intelligence agencies outline Chinese malware campaign.
The US Cybersecurity Infrastructure and Security Agency (CISA), the National Security Agency (NSA), and the Canadian Centre for Cyber Security have published a joint report describing a BRICKSTORM malware campaign attributed to Chinese state-sponsored threat actors. The agencies explain, "BRICKSTORM is a sophisticated backdoor for VMware vSphere (specifically VMware vCenter servers and VMware ESXI) and Windows environments. The cyber actors have been observed targeting VMware vSphere platforms. Once compromised, the cyber actors can use their access to the vCenter management console to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden, rogue VMs."
Twin brothers arrested in Virginia for allegedly stealing and destroying government data.
Twin brothers Muneeb and Sohaib Akhter were arrested in Virginia on Wednesday for allegedly stealing and destroying government data just after they were fired from a government contractor in February, CyberScoop reports. The Justice Department says the brothers deleted 96 databases, many of which "contained records and documents related to Freedom of Information Act matters administered by federal government departments and agencies, as well as sensitive investigative files of federal government components."
Notably, both men previously pleaded guilty to hacking charges while employed at a different government contractor in 2015, and were sentenced to more than two years in prison. Muneeb now faces a maximum penalty of 45 years in prison, while Sohaib faces a maximum penalty of six years. Bloomberg outlined the incident in a report in May, noting that it's unclear whether the contractor conducted a background check on the twins before hiring them.
