#react2shell-vulnerability

#react2shell-vulnerability

The dynamic type hints feature in Module Federation 2.0 dramatically streamlines the development process by automatically generating and loading types from remote modules, eliminating the need for shared type packages.

The most dangerous assumption in quality engineering right now is that you can validate an autonomous testing agent the same way you validated a deterministic application. When your systems can reason, adapt, and make decisions on their own, that linear validation model collapses.

Automate your React Localization with Crowdin Stack Stop treating i18n as a deployment bottleneck🛑 Crowdin automates your React localization workflow. Sync content to Crowdin, translate with AI and human proofreaders, and auto-sync the translations back to your git. Repo Integration: Connect directly to GitHub/GitLab repo. Localization becomes a simple, continuous part of your CI/CD pipeline. Context Harvester: Our open-source CLI uses Agentic AI to scan your JSX. It automatically provides translators with the exact UI context for every string.

"Use-after-free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page."

The Microsoft Defender team says that the attacker created fake web app projects built with Next.js and disguised them as coding projects to share with developers during job interviews or technical assessments. The researchers initially identified a repository hosted on the Bitbucket cloud-based Git-based code hosting and collaboration service. However, they discovered multiple repositories that shared code structure, loader logic, and naming patterns.

Researchers have discovered that a compromised npm publish token pushed an update for the widely-used Cline command line interface (CLI) containing a malicious postinstall script. That script installs the wildly popular, but increasingly condemned, agentic application OpenClaw on the unsuspecting user's machine. This can be extremely dangerous, as OpenClaw has broad system access and deep integrations with messaging platforms including WhatsApp, Telegram, Slack, Discord, iMessage, Teams, and others.

Cybersecurity company VulnCheck said it first observed exploitation of CVE-2025-11953 (aka Metro4Shell) on December 21, 2025. With a CVSS score of 9.8, the vulnerability allows remote unauthenticated attackers to execute arbitrary operating system commands on the underlying host. Details of the flaw were first documented by JFrog in November 2025. Despite more than a month after initial exploitation in the wild, the "activity has yet to see broad public acknowledgment," it added.

saving lockfile integrity checks (package-lock.json, pnpm-lock.yaml, and others) to version control (git). The lockfile records the exact version and integrity hash of every package in a dependency tree. On subsequent installs, the package manager checks incoming packages against these hashes, and if something doesn't match, installation fails. If an attacker compromises a package and pushes a malicious version, the integrity check should catch the mismatch and block it from being installed.

Datadog Security Labs said it observed threat actors associated with the recent React2Shell ( CVE-2025-55182, CVSS score: 10.0) exploitation using malicious NGINX configurations to pull off the attack. "The malicious configuration intercepts legitimate web traffic between users and websites and routes it through attacker-controlled backend servers," security researcher Ryan Simon said. "The campaign targets Asian TLDs (.in, .id, .pe, .bd, .th), Chinese hosting infrastructure (Baota Panel), and government and educational TLDs (.edu, .gov)."