Hello and welcome to the Thursday, December 18th, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu bachelor's decree program in applied cyber security.

The React to Shellwall ability is the gift that keeps on giving in a sense that, well, we keep seeing new variations of the exploit.

What's happening now is that attackers probably have realized that the original exploits

well have been run against all available systems. So there is really diminishing returns in

scanning the internet yet again with the same exploit. And we do see attackers vary a little bit.

So for example, they are changing the URL that they're targeting.

We had this one that now looks for example for slash API and slash app and various variations of that.

While the initial wave really just looked for the index page, which usually works sort of in these simple not customized kind of

applications we also see them at the rc action header which shows that they're going a little

away from just looking for next.js which of course again was the initial target of a lot of the exploits,

but also looking for other reasons why the React server components may be installed

and may be reachable. As before, well, if you have still an unpatched, vulnerable system,

assume compromise, even if the initial exploits may not have necessary. still an unpatched warnable system, assume

compromise, even if the

initial exploits may not have

necessarily shown your system

as vulnerable. We now

definitely see attackers customizing

and maybe also understanding

the vulnerability a little bit better and

...