Best of SecurityDecember 2025

  1. 1
    Article
    Avatar of collectionsCollections·25w

    Critical Vulnerability in React Server Components: Immediate Action Required

    React2Shell (CVE-2025-55182) is a critical remote code execution vulnerability with a CVSS score of 10.0, affecting React 19.0-19.2.0 and Next.js 15.x-16.x. The flaw stems from unsafe deserialization in React's Flight protocol, allowing unauthenticated attackers to execute arbitrary code through crafted HTTP requests. State-sponsored groups and cybercriminals are actively exploiting it to deploy cryptocurrency miners and backdoors. Organizations must upgrade to patched versions (React 19.0.1+, Next.js 15.0.5+) immediately, as the vulnerability impacts 39% of cloud environments and 6% of all websites. WAF rules and endpoint restrictions provide temporary mitigation.

  2. 2
    Article
    Avatar of nordicapisNordic APIs·21w

    A Software Architect’s Guide to API-First Strategy

    API-first strategy treats APIs as foundational contracts defined before code implementation, enabling parallel development, improved governance, and better security. The approach requires design-first methodology using OpenAPI specifications, RESTful principles, strategic versioning, and robust authentication/authorization. Key infrastructure includes API gateways for traffic management, IAM systems for access control, observability tools for monitoring, and emerging AI gateways for LLM interactions. Security must be integrated throughout the lifecycle with proper authentication (OAuth 2.0, OIDC), fine-grained authorization (RBAC, ABAC), input validation, rate limiting, and TLS encryption. Industries like fintech, retail, and healthcare demonstrate success through improved interoperability, faster innovation, and new revenue streams. The strategy is essential for AI-readiness, as autonomous agents require well-documented, discoverable APIs with clear semantic contracts.

  3. 3
    Article
    Avatar of infoworldInfoWorld·22w

    WhatsApp API worked exactly as promised, and stole everything

    A malicious npm package called "lotusbail" masqueraded as a legitimate WhatsApp Web API library for six months, accumulating over 56,000 downloads. The package functioned correctly while secretly stealing messages, credentials, and contact data through a proxy layer that intercepted all operations. It used four layers of obfuscation and RSA encryption to exfiltrate data to attacker-controlled servers. Most critically, it exploited WhatsApp's multi-device pairing to maintain persistent access even after package removal, requiring manual device unlinking. The package remains available on npm, highlighting the limitations of traditional security checks against supply-chain attacks that mimic legitimate behavior.

  4. 4
    Article
    Avatar of portkeyportkey·23w

    Understanding MCP Authorization

    MCP (Model Context Protocol) requires authorization controls as it moves from local experimentation to production deployments. The protocol enables AI models to interact with external tools and APIs dynamically, but without authorization, every connected client can access all exposed tools. Authorization in MCP works through server-side enforcement at request time, not connection time, using patterns like token-based authorization, scoped capability access, and role-based policies. Best practices include applying least privilege, using short-lived scoped tokens, authorizing every tool call individually, and making all access auditable. Strong authorization boundaries are essential for safely deploying MCP in shared environments and production systems.

  5. 5
    Article
    Avatar of itsfossIt's Foss·24w

    Is Helium the Browser Brave Was Meant to Be?

    Helium is a privacy-focused web browser built on ungoogled Chromium that aims to deliver privacy by default without unnecessary bloat. It includes built-in uBlock Origin with Manifest V2 support, native DuckDuckGo bangs for quick searches, and Helium services to anonymize external connections. The browser stores everything locally with no sync or password manager, blocks third-party cookies by default, and enforces HTTPS. Notable features include split-view tabs and cleaner customization options. However, it's still beta software with some limitations: login issues with bundled uBlock Origin, no DRM support for streaming services, and users must bring their own solutions for password management and syncing across devices.

  6. 6
    Article
    Avatar of octopusdeployOctopusDeploy·24w

    OWASP Top Ten: 20 years of Application Security

    Twenty years of OWASP Top 10 data shows application security fundamentals haven't improved—the same vulnerabilities persist across new technologies. SQL injection evolved into NoSQL injection, GraphQL manipulation, and now prompt injection. Broken access control remains the top issue. Supply chain attacks emerged as a major threat vector with npm packages and CI/CD pipelines becoming targets. While authentication improved with passkeys, authorization still fails consistently. The article provides practical guidance: shift-left security with runtime monitoring, assume dependency compromise, treat authorization like authentication, and understand that every developer is part of the security team. Leaders must invest in training, tooling, and observability rather than just buying security products.

  7. 7
    Article
    Avatar of itsfossIt's Foss·24w

    The Tor Project is Now Rewritten in Rust Instead of C

    Arti 1.8.0, the Rust rewrite of Tor, introduces circuit timeout improvements that replace predictable timing patterns with randomized intervals to reduce fingerprinting risks. The release includes an experimental command for migrating onion service client authorization keys from C-based Tor to Arti's keystore, plus enhancements to routing architecture and protocol implementation. The rewrite addresses memory safety vulnerabilities inherent in the original C codebase, including buffer overflows and use-after-free bugs.

  8. 8
    Article
    Avatar of denoDeno·24w

    Deno 2.6: dx is the new npx

    Deno 2.6 introduces dx, a new command for running package binaries similar to npx. The release adds granular permission controls with --ignore-read and --ignore-env flags, integrates tsgo for faster type checking, and supports source phase imports for WebAssembly. New features include deno audit for security vulnerability scanning, --require flag for CommonJS preloading, and improved dependency management with deno approve-scripts. The release enhances Node.js compatibility with @types/node included by default, numerous API fixes across crypto, fs, process, and sqlite modules, and better bundler support for different platforms. Additional improvements include transferable web streams, native source map support, and V8 14.2 upgrade.

  9. 9
    Article
    Avatar of thnThe Hacker News·22w

    Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Sites

    Two malicious Chrome extensions named "Phantom Shuttle" have been discovered stealing credentials from over 170 websites. Disguised as VPN services with paid subscriptions ($1.40-$13.50), the extensions inject proxy credentials, route traffic through attacker-controlled servers, and exfiltrate user passwords, cookies, API keys, and other sensitive data every five minutes. The extensions target developer platforms (GitHub, Stack Overflow), cloud services (AWS, Azure), social media, and other high-value domains. The operation appears to be China-based and has been active since 2017. Users should immediately remove these extensions, and security teams should implement extension allowlisting and network monitoring.

  10. 10
    Article
    Avatar of nordicapisNordic APIs·22w

    AuthZEN: A New Standard for Fine-Grained Authorization

    AuthZEN is a new OpenID Foundation specification that standardizes fine-grained authorization through a JSON-based decision API. It decouples policy enforcement points from policy decision points, allowing organizations to use any authorization model (RBAC, ABAC, ReBAC, etc.) behind a consistent interface. This approach reduces vendor lock-in, enables dynamic context-aware decisions for zero-trust architectures, and simplifies authorization across microservices, API gateways, and data systems. AuthZEN aims to bring the same level of standardization to authorization that OAuth and OpenID Connect brought to authentication.

  11. 11
    Video
    Avatar of primeagenThePrimeTime·21w

    They did what to SQL?

    A satirical commentary on TailwindSQL, an absurd open-source project that proposes writing database queries using CSS class syntax similar to Tailwind. The piece humorously critiques the concept of executing SQL queries from the client side using HTML classes, highlighting the obvious security implications and questioning the practicality of build-time query execution. The commentary uses heavy sarcasm to mock the trend of over-engineering simple solutions and the proliferation of questionable developer tools.

  12. 12
    Article
    Avatar of techleaddigestTech Lead Digest·23w

    Thousands of sensitive secrets published on JSONFormatter and CodeBeautify

    WatchTowr researchers discovered over 80,000 leaked sensitive secrets on JSONFormatter and CodeBeautify platforms, including passwords, API keys, cloud credentials, and private keys from government, finance, healthcare, and telecom organizations. Users unknowingly exposed data through predictable public URLs when using "Save" features. Despite months of warnings to organizations, the leaks persist, with evidence showing attackers already scraping these platforms. The research highlights critical security negligence in how developers handle sensitive information on public code-formatting tools.

  13. 13
    Video
    Avatar of fireshipFireship·24w

    React.js shell shocked by 10.0 critical vulnerability…

    A critical 10.0 severity vulnerability (CVE-2025-55182) dubbed "React2shell" has been discovered in React's server components flight protocol. The exploit allows attackers to achieve remote code execution without authentication by sending malicious payloads that are deserialized on the server. The vulnerability affects millions of React applications using Next.js and similar frameworks, with over 2 million vulnerable servers estimated. Security researchers observed active exploitation attempts from Chinese hacking groups within hours of disclosure. Developers should immediately check their React server components package versions and update to patched versions.

  14. 14
    Article
    Avatar of theregisterThe Register·21w

    New York’s incoming mayor bans Raspberry Pi at inauguration

    New York's mayor-elect banned Raspberry Pi devices from his inauguration block party, listing them alongside explosives, weapons, and Flipper Zero devices. While the Flipper Zero has known capabilities for cloning RFID cards and manipulating wireless communications, the Raspberry Pi ban appears less justified since the single-board computers are less portable and conspicuous. Critics note the ban is futile since smartphones could perform similar malicious functions, and it unfairly tarnishes a device widely used in education and creative projects.

  15. 15
    Article
    Avatar of troyhuntTroy Hunt·25w

    Why Does Have I Been Pwned Contain "Fake" Email Addresses?

    Have I Been Pwned (HIBP) contains seemingly "fake" email addresses because it extracts any string matching valid email format (alias@domain.tld) from breach data, without verifying if actual mailboxes exist behind them. These addresses appear in breaches because websites often store unverified email addresses in their databases before users complete email verification. The service processes 7 billion unique addresses, making individual mailbox verification impossible. The extraction logic is open source and follows RFC standards for email structure, not deliverability.

  16. 16
    Video
    Avatar of lowlevellearningLow Level Learning·23w

    i didn't expect to see this...

    A CVE was discovered in Rust code within the Linux kernel's Android Binder driver, marking the first security vulnerability in kernel Rust code. The bug is a race condition in an unsafe block that handles doubly linked list operations for tracking node deaths. The vulnerability occurred because the code moved list items to a local stack copy and dropped the lock prematurely, allowing two threads to simultaneously access and modify the same list structure. This led to memory corruption and kernel crashes. The fix involved iterating over the list with proper locking instead of creating a local copy, demonstrating that even memory-safe languages require careful handling of concurrent operations in kernel code.

  17. 17
    Article
    Avatar of twirThis Week In React·24w

    React Native 0.83, Reanimated 4.2, State of RN, Refined, Crypto, Worklets, Sheet Navigator

    React Native 0.83 is released with React 19.2 support, enabling Activity component and useEffectEvent. Reanimated 4.2 introduces Shared Element Transitions. The newsletter also covers a critical React Server Components vulnerability (React2Shell) affecting Next.js and other frameworks, requiring immediate patching. Additional updates include TanStack AI alpha release, new React data fetching library Fate, DevTools improvements, and various library releases including Worklets 0.7, Quick Crypto 1.0, and MMKV 4.1.

  18. 18
    Article
    Avatar of itsfossIt's Foss·22w

    We Have Another New Linux Phone Before 2025 Ends...And It's Not For You (or For Me)

    FuriLabs launched the Void Phone VX1, an enterprise-focused Linux smartphone that's a rebadged FLX1s running Debian-based FuriOS. The device features a MediaTek Dimensity 900 chipset, 8GB RAM, and 128GB storage. Its enterprise capabilities include mobile device management (MDM) features like remote wipes, app whitelists, geofencing, and custom security policies for $2.50 per device monthly. Organizations can order with white-label customization, but MDM features require minimum orders of 100 units.

  19. 19
    Article
    Avatar of searlsJustin Searls·22w

    Just verified this: macOS Tahoe 26 is…

    macOS Tahoe 26 introduces the ability to accept inbound SSH connections on FileVault-protected Macs before the first unlock after a cold boot. The process involves SSHing in normally, being disconnected as macOS finishes booting, then reconnecting via SSH again.

  20. 20
    Article
    Avatar of auth0Auth0·24w

    A New Auth0 ASP.NET SDK to Secure Your API

    Auth0 releases a beta SDK for ASP.NET Core that simplifies API authentication. The new package wraps Microsoft's JWT Bearer authentication while adding native DPoP support for enhanced security. It provides pre-configured Auth0 settings, flexible configuration through the options pattern, and maintains full compatibility with standard JWT Bearer features. Installation requires .NET 8 or above and involves adding the NuGet package and configuring authentication in Program.cs.

  21. 21
    Article
    Avatar of socketdevSocket·25w

    npm Sees Surge of Auto-Generated “elf-stats” Packages Publis...

    Socket's Threat Research Team discovered over 420 automated malicious packages published to npm following an "elf-stats" naming pattern. These packages were published every two minutes from newly created accounts and contained simple malware variants. npm has begun removing the affected packages, but the automated publishing continues with new variations appearing. Developers should avoid installing any packages matching the elf-stats-* pattern until they can be verified as safe.

  22. 22
    Video
    Avatar of seytonicSeytonic·24w

    Inmate Hacks Prison: Watches P***, Prints Money, Reduces Sentence

    A Romanian inmate exploited admin credentials to access a prison management system, allowing prisoners to view restricted content, inflate account balances by millions, and reduce sentences. India's government attempted to mandate a preinstalled, undeletable cybersecurity app on all phones but backtracked after backlash. Multiple US radio stations were hacked through poorly secured studio transmitter links with default passwords, broadcasting unauthorized content and triggering FCC warnings about security practices.

  23. 23
    Article
    Avatar of microservicesioMicroservices.io·24w

    Authentication and authorization in a microservice architecture - Part 5 - implementing complex authorization using Oso Cloud

    Authorization in microservices becomes complex when decisions require data from multiple services. Authorization-as-a-service platforms like Oso Cloud solve this by centralizing policy logic written in declarative languages (Polar) and evaluating authorization decisions via API calls. Services populate Oso with facts about roles and relationships through events (CQRS pattern), then delegate authorization checks instead of implementing complex conditional logic and database joins. This approach supports RBAC, ReBAC, and ABAC while reducing per-service implementation burden. The article demonstrates Oso integration in a security system application, showing how policies express role inheritance across resource relationships and how unification evaluates permission queries.

  24. 24
    Article
    Avatar of cloudnativenowCloud Native Now·21w

    Best of 2025: Hardening Kubernetes Security with DevSecOps Practices

    Kubernetes security requires a fundamental shift from traditional perimeter-based approaches to DevSecOps practices. The article explores common security pitfalls including misconfigurations, runtime blind spots, and under-secured internal APIs. Key strategies include automation throughout the development lifecycle, policy-as-code enforcement using tools like OPA Gatekeeper, runtime security monitoring, and risk-based vulnerability prioritization. Success depends on cultural transformation with executive support, blameless postmortems, and shared responsibility. Emerging trends like GitOps for security management, eBPF for deeper observability, and AI-enhanced threat detection promise to further strengthen cloud-native security postures.

  25. 25
    Article
    Avatar of springSpring·21w

    Evolving Spring Vault: Introducing VaultClient

    Spring Vault 4.1 introduces VaultClient and ReactiveVaultClient as modern replacements for the template-based API. The new fluent interface enforces relative path handling to prevent security issues, eliminates confusion between Vault and platform-specific HTTP clients, and aligns with Spring's HTTP client evolution. Built on RestClient/WebClient primitives, it provides better abstraction while preparing for RestTemplate deprecation in Spring Framework 7.1. Migration involves moving customizations from RestTemplateCustomizer to VaultClientCustomizer, with future plans for PKI integration with SSL bundles and database credential rotation.

See all Security archives