An anonymous reader shared this report from the site It's FOSS: Linux gives you plenty of ways to install software: native distro packages, Flatpak, Snap, AppImage, source builds, even curl-piped installers. The catch is that each one solves a different problem, yet none of them fully eliminates the "works here, breaks there" reality across all distros. Package Forge (PkgForge) is a new project with a narrower mission: deliver truly distro-independent portable applications that run the same way across systems....

It's not a new packaging format in and of itself, nor is it trying to replace AppImages. Instead, it's an ecosystem that publishes portable packages and static binaries in curated repositories, paired with a package manager designed to install and manage them. One of the ways PkgForge stands out from some portable app efforts on Linux is its focus on accessible documentation and a security-minded distribution model. The project primarily delivers prebuilt binary packages, keeps transparent build logs, and relies on checksum verification. This helps reduce the spread of ad-hoc install scripts and the need for local compilation, which has long been a common pattern when downloading Linux software directly (and still is for many projects today).

To make life easier for the end-user, the project maintains its own frontend, called Soar... which you can use like an additional package manager, and let it handle installation, updates, and system integration. It also allows you to search for apps and utilities without having to dig through the repos online. Alternatively, you can search the PkgForge repos manually, and download and manage individual portable packages on your own. This is preferable if you're building a portable toolkit on a USB drive, testing a single app temporarily, or simply want full control over where files live...

Even if it doesn't replace Flatpak, Snap, or AppImage, it helps give definition to what a more flexible, truly distro-independent future for portable Linux apps could look like.

"In the lead up to its Switch 2 console release, Nintendo updated its user agreement," writes the Free Software Foundation, warning that Nintendo now claims "broad authority to make consoles owned by its customers permanently unusable."

"Under Nintendo's most aggressive digital restrictions management (DRM) update to date, game console owners are now required to give Nintendo the unilateral right to revoke access to games, security updates, and the Internet, at its sole discretion." The new agreement states: "You acknowledge that if you fail to comply with [Nintendo's restrictions], Nintendo may render the Nintendo Account Services and/or the applicable Nintendo device permanently unusable in whole or in part...."

There are probably other reasons that Nintendo has and will justify bricking game consoles, but here are some that we have seen reported:

— "Tampering" with hardware or software in pretty much any way;
— Attempting to play a back-up game;
— Playing a "used" game; or
— Use of a third-party game or accessory...


Nintendo's promise to block a user from using their game console isn't just an empty threat: it has already been wielded against many users. For example, within a month of the Switch 2's release, one user unknowingly purchased an open-box return that had been bricked, and despite functional hardware, it was unusable for many games. In another case, a user installing updates for game cartridges purchased via a digital marketplace had their console disabled. Though it's unclear exactly why they were banned, it's possible that the cartridge's previous owner made a copy and an online DRM check determined that the current and previous owner's use were both "fraudulent." The user only had their console released through appealing to Nintendo directly and providing evidence of their purchase, a laborious process.

Nintendo's new console banning spree is just one instance of the threat that nonfree software and DRM pose to users. DRM is but one injustice posed by nonfree software, and the target of the FSF's Defective by Design campaign. Like with all software, users ought to be able to freely copy, study, and modify the programs running on their devices. Proprietary software developers actively oppose and antagonize their users. In the case of Nintendo, this means punishing legitimate users and burdening them with proving that their use is "acceptable." Console users shouldn't have to tread so carefully with a console that they own, and should they misstep, beg Nintendo to allow them to use their consoles again.

One developer tells MIT Technology Review that AI tools weaken the coding instincts he used to have. And beyond that, "It's just not fun sitting there with my work being done for me."

But is AI making coders faster? "After speaking to more than 30 developers, technology executives, analysts, and researchers, MIT Technology Review found that the picture is not as straightforward as it might seem..." For some developers on the front lines, initial enthusiasm is waning as they bump up against the technology's limitations. And as a growing body of research suggests that the claimed productivity gains may be illusory, some are questioning whether the emperor is wearing any clothes.... Data from the developer analytics firm GitClear shows that most engineers are producing roughly 10% more durable code — code that isn't deleted or rewritten within weeks — since 2022, likely thanks to AI. But that gain has come with sharp declines in several measures of code quality. Stack Overflow's survey also found trust and positive sentiment toward AI tools falling significantly for the first time. And most provocatively, a July study by the nonprofit research organization Model Evaluation & Threat Research (METR) showed that while experienced developers believed AI made them 20% faster, objective tests showed they were actually 19% slower...

Developers interviewed by MIT Technology Review generally agree on where AI tools excel: producing "boilerplate code" (reusable chunks of code repeated in multiple places with little modification), writing tests, fixing bugs, and explaining unfamiliar code to new developers. Several noted that AI helps overcome the "blank page problem" by offering an imperfect first stab to get a developer's creative juices flowing. It can also let nontechnical colleagues quickly prototype software features, easing the load on already overworked engineers. These tasks can be tedious, and developers are typically glad to hand them off. But they represent only a small part of an experienced engineer's workload. For the more complex problems where engineers really earn their bread, many developers told MIT Technology Review, the tools face significant hurdles...

The models also just get things wrong. Like all LLMs, coding models are prone to "hallucinating" — it's an issue built into how they work. But because the code they output looks so polished, errors can be difficult to detect, says James Liu, director of software engineering at the advertising technology company Mediaocean. Put all these flaws together, and using these tools can feel a lot like pulling a lever on a one-armed bandit. "Some projects you get a 20x improvement in terms of speed or efficiency," says Liu. "On other things, it just falls flat on its face, and you spend all this time trying to coax it into granting you the wish that you wanted and it's just not going to..." There are also more specific security concerns, she says. Researchers have discovered a worrying class of hallucinations where models reference nonexistent software packages in their code. Attackers can exploit this by creating packages with those names that harbor vulnerabilities, which the model or developer may then unwittingly incorporate into software.
Other key points from the article:

• LLMs can only hold limited amounts of information in context windows, so "they struggle to parse large code bases and are prone to forgetting what they're doing on longer tasks."

• "While an LLM-generated response to a problem may work in isolation, software is made up of hundreds of interconnected modules. If these aren't built with consideration for other parts of the software, it can quickly lead to a tangled, inconsistent code base that's hard for humans to parse and, more important, to maintain."

• "Accumulating technical debt is inevitable in most projects, but AI tools make it much easier for time-pressured engineers to cut corners, says GitClear's Harding. And GitClear's data suggests this is happening at scale..."

• "As models improve, the code they produce is becoming increasingly verbose and complex, says Tariq Shaukat, CEO of Sonar, which makes tools for checking code quality. This is driving down the number of obvious bugs and security vulnerabilities, he says, but at the cost of increasing the number of 'code smells' — harder-to-pinpoint flaws that lead to maintenance problems and technical debt."

Yet the article cites a recent Stanford University study that found employment among software developers aged 22 to 25 dropped nearly 20% between 2022 and 2025, "coinciding with the rise of AI-powered coding tools."

The story is part of MIT Technology Review's new Hype Correction series of articles about AI.

"Yet another distro is making the move to the KDE Plasma desktop," writes Linux magazine.

"Parrot OS, a security-focused Linux distribution, is migrating from MATE to KDE Plasma, starting with version 7.0, now available in beta." Based on Debian 13, Parrot OS's goal is a shift toward "modernization, focusing on clearing technical debt and future-proofing the system." One big under-the-hood change is that the/tmpdirectory is now automatically mounted astmpfs(in RAM), as opposed to the physical drive. By making this change, Parrot OS enjoys improved performance and reduces wear on SSDs. This shift also means that all data in/tmpis lost during a reboot.
ParrotOS senior systems engineer Dario Camonita explains the change in a blog post, calling it "not only aesthetic, but also in terms of usability and greater consistency with our future goals..."

"While MATE will continue to be supported by us as long as upstream development continues, We have noticed and observed the continuous improvements made by the KDE team..."

And elsewhere Linux Magazine notes two other distros are embracing the desktop Enlightenment: For years, Bodhi Linux was one of the very few distributions that used anything based on Enlightenment. That period of loneliness is officially over, withMX Mokshaand AV Linux 25. MX Moksha doesn't replace the original MX Linux. Instead, it will serve as an "official spin" of the distribution...

The Enlightenment desktop (and subsequently Moksha) was developed with systemd in mind, so MX Moksha uses systemd. If you're not a fan of systemd, MX Moksha is not for you. MX Moksha is lighter than MX Linux, so it will perform better on older machines. It also uses the Liquorix kernel for lower latency. AV Linux has been released with the Xfce and LXDE desktops at different times and has only recently opted to make the switch to Enlightenment.

An anonymous reader quotes a report from Search Engine Land: Google said today that it is suing SerpApi, accusing the company of bypassing security protections to scrape, harvest, and resell copyrighted content from Google Search results. The allegations: Google said SerpApi:

-Circumvented Google's security measures and industry-standard crawling controls.
-Ignored website directives that specify whether content can be accessed.
-Used cloaking, rotating bot identities, and large bot networks to scrape content at scale.
-Took licensed content from Search features, including images and real-time data, and resold it for profit.

What Google is saying. "Stealthy scrapers like SerpApi override [crawling] directives and give sites no choice at all," Google wrote, calling the alleged scraping "brazen" and "unlawful." Google said SerpApi's activity "increased dramatically over the past year." [...] If Google wins, reliable SERP data could become harder to get, more expensive, or both -- especially for teams that rely on tools powered by services like SerpApi. As AI already reduces clicks and transparency, Google now appears intent on making it even harder for brands to understand how Search works, how they appear in results, and how to measure success.

Airbus is preparing to tender a major contract to move mission-critical systems like ERP, manufacturing, and aircraft design data onto a digitally sovereign European cloud, citing national security concerns and fears around U.S. extraterritorial laws like the CLOUD Act. "I need a sovereign cloud because part of the information is extremely sensitive from a national and European perspective," Catherine Jestin, Airbus's executive vice president of digital, told The Register. "We want to ensure this information remains under European control." The Register reports: The driver is access to new software. Vendors like SAP are developing innovations exclusively in the cloud, pushing customers toward platforms like S/4HANA. The request for proposals launches in early January, with a decision expected before summer. The contract -- understood to be worth more than 50 million euros -- will be long term (up to ten years), with price predictability over the period. [...] Jestin is waiting for European regulators to clarify whether Airbus would truly be "immune to extraterritorial laws" -- and whether services could be interrupted.

The concern isn't theoretical. Chief Prosecutor of the International Criminal Court (ICC) Karim Khan reportedly lost access to his Microsoft email after Trump sanctioned him for criticizing Israeli PM Benjamin Netanyahu, though Microsoft denies suspending ICC services. Beyond US complications, Jestin questions whether European cloud providers have sufficient scale. "If you asked me today if we'll find a solution, I'd say 80/20."

TikTok's owner ByteDance has signed a deal creating a U.S.-focused joint venture majority-owned by American and global investors, allowing the app to avoid a U.S. ban while ByteDance retains a minority stake. The BBC reports: Half of the joint venture will be owned by a group of investors including Oracle, Silver Lake and the Emirati investment firm MGX, according to a memo sent by chief executive Shou Zi Chew. The deal, which is set to close on January 22, would end years of efforts by Washington to force ByteDance to sell its US operations over national security concerns. It is in-line with a deal unveiled in September, when US President Donald Trump delayed the enforcement of a law that would ban the app unless it was sold.

TikTok said in the memo that the deal would enable "over 170 million Americans to continue discovering a world of endless possibilities as part of a vital global community." Under the agreement, ByteDance will retain 19.9% of the business, while Oracle, Silver Lake and Abu Dhabi-based MGX will hold 15% each. Another 30.1% will be held by affiliates of existing ByteDance investors, according to the memo.

An anonymous reader quotes a report from Ars Technica: At this point, most competitive online multiplayer games on the PC come with some kind of kernel-level anti-cheat software. As we've written before, this is software that runs with more elevated privileges than most other apps and games you run on your PC, allowing it to load in earlier and detect advanced methods of cheating. More recently, anti-cheat software has started to require more Windows security features like Secure Boot, a TPM 2.0 module, and virtualization-based memory integrity protection. Riot Games, best known for titles like Valorant and League of Legends and the Vanguard anti-cheat software, has often been one of the earliest to implement new anti-cheat requirements. There's already a long list of checks that systems need to clear before they'll be allowed to play Riot's games online, and now the studio is announcing a new one: a BIOS update requirement that will be imposed on "certain players" following Riot's discovery of a UEFI bug that could allow especially dedicated and motivated cheaters to circumvent certain memory protections.

In short, the bug affects the input-output memory management unit (IOMMU) "on some UEFI-based motherboards from multiple vendors." One feature of the IOMMU is to protect system memory from direct access during boot by external hardware devices, which otherwise might manipulate the contents of your PC's memory in ways that could enable cheating. The patch for these security vulnerabilities (CVE-2025-11901, CVE-202514302, CVE-2025-14303, and CVE-2025-14304) fixes a problem where this pre-boot direct memory access (DMA) protection could be disabled even if it was marked as enabled in the BIOS, creating a small window during the boot process where DMA devices could gain access to RAM.

The relative obscurity and complexity of this hardware exploit means that Vanguard isn't going to be enforcing these BIOS requirements on every single player of its games. For now, it will just apply to "restricted" players of Valorant whose systems, for one reason or another, are "too similar to cheaters who get around security features in order to become undetectable to Vanguard." But Riot says it's considering rolling the BIOS requirement out to all players in Valorant's highest competitive ranking tiers (Ascendant, Immortal, and Radiant), where there's more to be gained from working around the anti-cheat software. And Riot anti-cheat analyst Mohamed Al-Sharifi says the same restrictions could be turned on for League of Legends, though they aren't currently. If users are blocked from playing by Vanguard, they'll need to download and install the latest BIOS update for their motherboard before they'll be allowed to launch the game. Riot's new anti-cheat change could create problems for older PCs if the new anti-cheat change is expanded, notes Ars.

The update relies on a BIOS patch to fix a UEFI flaw, and many older motherboards, especially Intel 300-series and AMD AM4 boards, may never receive that update. If Riot flags a system and the manufacturer doesn't provide a patched BIOS, players could be locked out of games despite having otherwise capable hardware.

An anonymous reader quotes a report from KrebsOnSecurity: Direct navigation -- the act of visiting a website by manually typing a domain name in a web browser -- has never been riskier: A new study finds the vast majority of "parked" domains -- mostly expired or dormant domain names, or common misspellings of popular websites -- are now configured to redirect visitors to sites that foist scams and malware. When Internet users try to visit expired domain names or accidentally navigate to a lookalike "typosquatting" domain, they are typically brought to a placeholder page at a domain parking company that tries to monetize the wayward traffic by displaying links to a number of third-party websites that have paid to have their links shown.

A decade ago, ending up at one of these parked domains came with a relatively small chance of being redirected to a malicious destination: In 2014, researchers found (PDF) that parked domains redirected users to malicious sites less than five percent of the time -- regardless of whether the visitor clicked on any links at the parked page. But in a series of experiments over the past few months, researchers at the security firm Infoblox say they discovered the situation is now reversed, and that malicious content is by far the norm now for parked websites. "In large scale experiments, we found that over 90% of the time, visitors to a parked domain would be directed to illegal content, scams, scareware and anti-virus software subscriptions, or malware, as the 'click' was sold from the parking company to advertisers, who often resold that traffic to yet another party," Infoblox researchers wrote in a paper published today.

An anonymous reader quotes a report from Tom's Hardware: A North Korean imposter was uncovered, working as a sysadmin at Amazon U.S., after their keystroke input lag raised suspicions with security specialists at the online retail giant. Normally, a U.S.-based remote worker's computer would send keystroke data within tens of milliseconds. This suspicious individual's keyboard lag was "more than 110 milliseconds," reports Bloomberg. Amazon is commendably proactive in its pursuit of impostors, according to the source report.

The news site talked with Amazon's Chief Security Officer, Stephen Schmidt, about this fascinating new case of North Koreans trying to infiltrate U.S. organizations to raise hard currency for the Democratic People's Republic of Korea (DPRK), and sometimes indulge in espionage and/or sabotage. Schmidt says that Amazon has foiled more than 1,800 DPRK infiltration attempts since April 2024. Moreover, the rate of attempts continues apace, with Amazon reckoning it is seeing a 27% QoQ uplift in North Koreans trying to get into the Amazon corporation. However, Amazon's success can be almost entirely credited to the fact that it is actively looking for DPRK impostors, warns its Chief Security Officer. "If we hadn't been looking for the DPRK workers," Schmidt said, "we would not have found them."

Hackers breached approximately 120,000 IP cameras across South Korea and allegedly sold footage captured from private homes, gynecology offices, breastfeeding rooms and massage parlors to an overseas pornography website, prompting an interagency government task force to announce sweeping reforms on December 7.

Police believe one suspect alone hacked 63,000 cameras and produced 545 videos that netted him 35 million won ($24,000) in cryptocurrency; a second suspect, operating independently, compromised 70,000 devices and earned 18 million won from 648 videos. The footage accounted for 62% of all content on the website, which maintains a dedicated "Korean" category. A government survey found that only 59% of installation companies consistently carried out mandatory security measures such as changing default passwords. Lawmakers are now pursuing legislation requiring security-certified IP cameras in sensitive facilities.

Bruce66423 writes: A man boarded a flight at Heathrow without a ticket, boarding pass or passport.

'The unnamed individual walked onto the 7.20am British Airways (BA) flight to Oslo, Norway, on Saturday after tailgating other passengers through security and evading checks at the departure gate.

An aviation expert described the incident as a "significant lapse in security", as a witness reported that cabin crew only detected the interloper because the flight was full and he kept sitting in passengers' assigned seats.

Police arrested the unnamed man, airport sources said, adding that he had passed through "full security screening" before reaching the gate.

Given that he did go through the security check, this is merely embarrassing. Compare and contrast with this episode.

Chinese scientists have built a working prototype of an extreme ultraviolet lithography machine in a high-security Shenzhen laboratory, a development that represents exactly what Washington has spent years and multiple rounds of export controls trying to prevent: China's path toward semiconductor independence and an end to the West's monopoly on the technology that powers AI, smartphones and advanced weapons systems.

The prototype, completed in early 2025 by former ASML engineers who reverse-engineered the Dutch company's machines, is operational and generating EUV light, though it has not yet produced working chips. The effort is part of a six-year secret government initiative that sources described to Reuters as China's version of the Manhattan Project.

Huawei is coordinating thousands of engineers across companies and state research institutes, and recruits are working under false identities inside secure facilities. The Chinese government is targeting 2028 for producing working chips, though sources say 2030 is more realistic -- still years earlier than the decade analysts had predicted it would take China to match the West.

Longtime Linux developer Greg Kroah-Hartman announced that the Linux kernel has received its first CVE tied to Rust code. Phoronix reports: This first CVE (CVE-2025-68260) for Rust code in the Linux kernel pertains to the Android Binder rewrite in Rust. There is a race condition that can occur due to some noted unsafe Rust code. That code can lead to memory corruption of the previous/next pointers and in turn cause a crash. This CVE for the possible system crash is for Linux 6.18 and newer since the introduction of the Rust Binder driver. At least though it's just a possible system crash and not any more serious system compromise with remote code execution or other more severe issues.

An anonymous reader shares a report: Browser extensions with more than 8 million installs are harvesting complete and extended conversations from users' AI conversations and selling them for marketing purposes, according to data collected from the Google and Microsoft pages hosting them.

Security firm Koi discovered the eight extensions, which as of late Tuesday night remained available in both Google's and Microsoft's extension stores. Seven of them carry "Featured" badges, which are endorsements meant to signal that the companies have determined the extensions meet their quality standards. The free extensions provide functions such as VPN routing to safeguard online privacy and ad blocking for ad-free browsing. All provide assurances that user data remains anonymous and isnâ(TM)t shared for purposes other than their described use.

Google is suing a Chinese-speaking cybercriminal group it says is responsible for a massive wave of scam text messages sent to Americans this year, according to a legal complaint filed Tuesday. From a report: The group, known as Darcula, sells software that allows users to send phishing text messages en masse, impersonating organizations like the IRS or the U.S. Postal Service in scams. The lawsuit is designed to give Google legal standing so U.S. courts will allow it to seize websites the group uses, hampering their operations, a spokesperson said.

Darcula is possibly the most prominent name in an emerging, loosely affiliated cybercrime world that creates and sells hacking programs for aspiring scammers to use. Darcula's signature program, called Magic Cat, provides an easy-to-use, intuitive way for cybercriminals without advanced hacking skills to quickly spam millions of phone numbers with links to fake websites impersonating businesses like YouTube's premium service, then steal the credit card numbers victims put in.

mprindle writes: The Texas Attorney General sued five major television manufacturers, accusing them of illegally collecting their users' data by secretly recording what they watch using Automated Content Recognition (ACR) technology.

The lawsuits target Sony, Samsung, LG, and China-based companies Hisense and TCL Technology Group Corporation. Attorney General Ken Paxton's office also highlighted "serious concerns" about the two Chinese companies being required to follow China's National Security Law, which could give the Chinese government access to U.S. consumers' data.

According to complaints filed this Monday in Texas state courts, the TV makers can allegedly use ACR technology to capture screenshots of television displays every 500 milliseconds, monitor the users' viewing activity in real time, and send this information back to the companies' servers without the users' knowledge or consent.

An anonymous reader quotes a report from BleepingComputer: Audio streaming platform SoundCloud has confirmed that outages and VPN connection issues over the past few days were caused by a security breach in which threat actors stole a database containing user information. The disclosure follows widespread reports over the past four days from users who were unable to access SoundCloud when connecting via VPN, with attempts resulting in the site displaying 403 "forbidden" errors.

In a statement shared with BleepingComputer, SoundCloud said it recently detected unauthorized activity involving an ancillary service dashboard and activated its incident response procedures. SoundCloud acknowledged that a threat actor accessed some of its data but said the exposure was limited in scope. [...] BleepingComputer has learned that the breach affects 20% of SoundCloud's users, which, based on publicly reported user figures, could impact roughly 28 million accounts. The company said it is confident that all unauthorized access to SoundCloud systems has been blocked and that there is no ongoing risk to the platform. "We understand that a purported threat actor group accessed certain limited data that we hold," SoundCloud told BleepingComputer. "We have completed an investigation into the data that was impacted, and no sensitive data (such as financial or password data) has been accessed. The data involved consisted only of email addresses and information already visible on public SoundCloud profiles."

An anonymous reader quotes a report from Ars Technica: Microsoft is killing off an obsolete and vulnerable encryption cipher that Windows has supported by default for 26 years following more than a decade of devastating hacks that exploited it and recently faced blistering criticism from a prominent US senator. When the software maker rolled out Active Directory in 2000, it made RC4 a sole means of securing the Windows component, which administrators use to configure and provision fellow administrator and user accounts inside large organizations. RC4, short for Rivist Cipher 4, is a nod to mathematician and cryptographer Ron Rivest of RSA Security, who developed the stream cipher in 1987. Within days of the trade-secret-protected algorithm being leaked in 1994, a researcher demonstrated a cryptographic attack that significantly weakened the security it had been believed to provide. Despite the known susceptibility, RC4 remained a staple in encryption protocols, including SSL and its successor TLS, until about a decade ago. [...]

Last week, Microsoft said it was finally deprecating RC4 and cited its susceptibility to Kerberoasting, the form of attack, known since 2014, that was the root cause of the initial intrusion into Ascension's network. "By mid-2026, we will be updating domain controller defaults for the Kerberos Key Distribution Center (KDC) on Windows Server 2008 and later to only allow AES-SHA1 encryption," Matthew Palko, a Microsoft principal program manager, wrote. "RC4 will be disabled by default and only used if a domain administrator explicitly configures an account or the KDC to use it." [...] Following next year's change, RC4 authentication will no longer function unless administrators perform the extra work to allow it. In the meantime, Palko said, it's crucial that admins identify any systems inside their networks that rely on the cipher. Despite the known vulnerabilities, RC4 remains the sole means of some third-party legacy systems for authenticating to Windows networks. These systems can often go overlooked in networks even though they are required for crucial functions.

To streamline the identification of such systems, Microsoft is making several tools available. One is an update to KDC logs that will track both requests and responses that systems make using RC4 when performing requests through Kerberos. Kerberos is an industry-wide authentication protocol for verifying the identities of users and services over a non-secure network. It's the sole means for mutual authentication to Active Directory, which hackers attacking Windows networks widely consider a Holy Grail because of the control they gain once it has been compromised. Microsoft is also introducing new PowerShell scripts to sift through security event logs to more easily pinpoint problematic RC4 usage. Microsoft said it has steadily worked over the past decade to deprecate RC4, but that the task wasn't easy. "The problem though is that it's hard to kill off a cryptographic algorithm that is present in every OS that's shipped for the last 25 years and was the default algorithm for so long, Steve Syfuhs, who runs Microsoft's Windows Authentication team, wrote on Bluesky. "See," he continued, "the problem is not that the algorithm exists. The problem is how the algorithm is chosen, and the rules governing that spanned 20 years of code changes."

A critical React vulnerability (CVE-2025-55182) is being actively exploited at scale by Chinese, Iranian, North Korean, and criminal groups to gain remote code execution, deploy backdoors, and mine crypto. The Register reports: React maintainers disclosed the critical bug on December 3, and exploitation began almost immediately. According to Amazon's threat intel team, Chinese government crews, including Earth Lamia and Jackpot Panda, started battering the security hole within hours of its disclosure. Palo Alto Networks' Unit 42 responders have put the victim count at more than 50 organizations across multiple sectors, with attackers from North Korea also abusing the flaw.

Google, in a late Friday report, said at least five other suspected PRC spy groups also exploited React2Shell, along with criminals who deployed XMRig for illicit cryptocurrency mining, and "Iran-nexus actors," although the report doesn't provide any additional details about who the Iran-linked groups are and what they are doing after exploitation. "GTIG has also observed numerous discussions regarding CVE-2025-55182 in underground forums, including threads in which threat actors have shared links to scanning tools, proof-of-concept (PoC) code, and their experiences using these tools," the researchers wrote.