Top stories.
- Threat actors exploit maximum-severity React flaw.
- Marquis breach affects dozens of banks and credit unions.
- Malicious browser extensions waited years before infecting users.
- Universities confirm Oracle EBS compromises.
- Coupang breach impacts nearly 34 million customers.
- Twin brothers arrested in Virginia for allegedly stealing and destroying government data.
Threat actors exploit maximum-severity React flaw.
Researchers at AWS warn that multiple Chinese threat actors began exploiting a maximum-severity vulnerability (CVE-2025-55182) affecting React Server Components within hours of its disclosure on Wednesday. The vulnerability, tracked as "React2Shell," "unsafely deserializes payloads from HTTP requests to Server Function endpoints," enabling unauthenticated remote code execution. Working exploits for the flaw are now available on GitHub. Researchers at Wiz estimate that 39% of cloud environments contain vulnerable instances of React and Next.js, and users are urged to apply patches immediately.
AWS has seen exploitation of the flaw from infrastructure tied to China's Earth Lamia and Jackpot Panda, as well as shared anonymization networks used by other China-linked threat actors. Additional threat actors are likely targeting the vulnerability now that exploits are publicly available.
Marquis breach affects dozens of banks and credit unions.
Financial software provider Marquis Software Solutions has disclosed a data breach affecting more than 400,000 customers from at least 74 banks and credit unions, BleepingComputer reports. The company said it sustained a ransomware attack on August 14th, 2025, after a threat actor compromised their SonicWall firewall. Marquis said in a filing with Maine's Attorney General that the affected data include "names, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, financial account information without security or access codes, and dates of birth."
Marquis hasn't attributed the attack to any particular group, but BleepingComputer notes that the Akira ransomware gang has been targeting SonicWall firewalls since September 2024.
Malicious browser extensions waited years before infecting users.
Researchers at Koi warn that a threat actor dubbed "ShadyPanda" conducted a seven-year-long browser extension campaign that infected 4.3 million Chrome and Edge users. The extensions operated for years as legitimate tools, building trustworthy reputations and large user bases, before receiving malicious updates in mid-2024. Koi states, "These extensions now run hourly remote code execution - downloading and executing arbitrary JavaScript with full browser access. They monitor every website visit, exfiltrate encrypted browsing history, and collect complete browser fingerprints."
The extensions have since been removed from the app stores, but Koi warns that previously infected browsers may still be compromised.
Universities confirm Oracle EBS compromises.
The University of Pennsylvania and the University of Phoenix both confirmed falling victim to a zero-day hacking campaign that targeted Oracle’s E-Business Suite (EBS), SecurityWeek reports. The University of Phoenix (UoPX) discovered the breach on November 21st after the Clop extortion gang listed the school on its leak site. UoPX found the attackers may have stolen names, contact details, dates of birth, Social Security numbers, and bank account information. Penn is notifying affected individuals directly and hasn't publicly disclosed the types of information that were breached.
Coupang breach impacts nearly 34 million customers.
South Korean e-commerce giant Coupang has disclosed a data breach affecting 33.7 million accounts, which the Korea Times notes represents nearly all of the company's customer base. According to PYMNTS, the breach affected users' names, email addresses, phone numbers, shipping addresses, and some order histories.
Reuters reports that the South Korean government held an emergency meeting to determine whether Coupang had violated privacy regulations. Coupang has apologized for the breach and is working with law enforcement and regulatory authorities. Korea's Internet & Security Agency warned users to be on the lookout for phishing scams in the wake of the breach.
Twin brothers arrested in Virginia for allegedly stealing and destroying government data.
Twin brothers Muneeb and Sohaib Akhter were arrested in Virginia on Wednesday for allegedly stealing and destroying government data just after they were fired from a government contractor in February, CyberScoop reports. The Justice Department says the brothers deleted 96 databases, many of which "contained records and documents related to Freedom of Information Act matters administered by federal government departments and agencies, as well as sensitive investigative files of federal government components."
Notably, both men previously pleaded guilty to hacking charges while employed at a different government contractor in 2015, and were sentenced to more than two years in prison. Muneeb now faces a maximum penalty of 45 years in prison, while Sohaib faces a maximum penalty of six years. Bloomberg outlined the incident in a report in May, noting that it's unclear whether the contractor conducted a background check on the twins before hiring them.
