The IT Nerd

Here is a new Flashpoint post that breaks down a rapidly developing security story: a critical Remote Code Execution vulnerability in React that is already drawing significant attention across the threat landscape. The post offers Flashpoint’s expert perspective on the scope of exposure and the implications for digital supply-chain security.

What Flashpoint is Seeing

• The flaw (CVE-2025-55182) is a critical RCE vulnerability in React Server Components that allows unauthenticated remote code execution.
• All React versions since 19.0.0 are affected, putting a massive portion of today’s web applications at risk.
• Given React’s ubiquity, the supply-chain impact is extensive — Flashpoint notes that this vulnerability creates broad downstream exposure across organizations and vendors relying on React-based infrastructure.
• Early signs of attacker interest are already emerging, heightening the urgency for defenders.

Impact
Flashpoint’s perspective highlights how this isn’t just a typical open-source bug — it has the potential to become a wide-scale supply-chain event, affecting enterprises, SaaS providers, and cloud-native applications. If exploited, it could lead to server compromise, data exfiltration, and large-scale operational disruption.

Here’s the analysis:
https://flashpoint.io/blog/digital-supply-chain-risk-vulnerability-react-unauthorized-remote-code-execution/

Today, Flashpoint has published a new forward-looking post titled “Flashpoint’s Top 5 Predictions for the 2026 Threat Landscape.” It outlines where cyber and physical risk are heading as AI advances, identity becomes a primary attack surface, and supply-chain threats evolve.

Key Takeaways:

• AI-driven threats escalate: Attackers begin leveraging more autonomous and integrated AI systems, not just model-based exploits.
• Identity becomes the new battleground: Infostealers to fuel most intrusions by capturing credentials, tokens, and cloud access.
• Vulnerability intelligence shifts: Instability in public vulnerability databases pushes organizations toward redundant, intelligence-driven tracking.
• Cyber-physical targeting grows: Threat actors increasingly target executives and individuals as digital and physical risks fully converge.
• Supply-chain risk intensifies: Identity-based compromise and third-party access become prime vectors for extortion and infiltration.

Post Link: https://flashpoint.io/blog/flashpoints-top-5-predictions-for-the-2026-threat-landscape/

The 2025 holiday shopping season is expected to bring record retail spending, with US sales projected to surpass $1 trillion USD for the first time. At the same time, this surge in online activity and spending creates a lucrative environment for financially motivated threat actors. 

As cybercriminals intensify their efforts to exploit the holiday season, Flashpoint shares the top cyber and physical threats that people can expect this holiday season:

QR Code Fraud

• The core technique involves creating convincing fake QR codes, often leveraging readily available public QR code generators that redirect victims to malicious sites.
  

Gift Card Draining

• The widespread popularity of gift cards has made them a prime target for organized financial crime, specifically for financially motivated organized fraud groups. 
• The process is highly organized: first, they lift and reseal the protective sticker to obtain the PIN and card number. Then, the fraud operators leverage specialized software to monitor the card’s status. The moment a consumer purchases and activates the card at the register, the funds are instantly drained.

Phishing and Social Engineering

• Flashpoint expects threat actors to deploy highly tailored phishing emails and text messages designed to steal sensitive information such as login credentials and financial details from unsuspecting retail employees and shoppers.

Crowds and Physical Violence 

• While the digital domain encapsulates most of the threats in the 2025 holiday season, large holiday events and public gatherings—such as Black Friday doorbusters and the Macy’s Thanksgiving Day Parade in New York City and various European Christmas markets or Hanukkah events—may become targets, as global social and political tensions remain heightened.

A full blog post has been published on the topic:

On the back of Flashpoint’s report last week on the Evolution of Data Extortion, I wanted surface a blog post that is just live this morning from the Flashpoint team about LockBit 5.0 Analysis.

It’s a deep dive into the latest evolution of the dominant Ransomware-as-a-Service (RaaS) group. Flashpoint’s analysis confirms its key innovation is a refined modular two-stage deployment model designed to maximize evasion, modularity, and EDR bypass.

The blog post is here:  https://flashpoint.io/blog/lockbit-5-0-analysis-technical-deep-dive-into-the-raas-giants-latest-upgrade/.

Flashpoint’s has a new report about the Evolution of Data Extortion that was just released along with a blog post explaining the research.

Flashpoint’s report provides a comprehensive analysis of the evolution of data extortion groups, tracing their trajectory from fragmented, low-sophistication criminal activity in 2015 to a professionalized, cloud-centric, and human-operated threat landscape by 2025. It examines the operational arcs of key threat actors, including “The Dark Overlord,” “LAPSUS$,” and “ShinyHunters,” and documents a fundamental shift in their tactics, techniques, and procedures (TTPs). The focus has moved away from brute-force technical exploits toward sophisticated social engineering and supply chain attacks.
 
The future of data extortion by these and similar groups will likely target software-as-a-service (SaaS) interdependencies and identity federation, requiring a strategic pivot in defensive postures from perimeter-based security toward proactive Cloud Security Posture Management (SSPM) and robust human defenses.
 
Contents of the 18-page report include:

• Opportunistic Data Extortion: 2015–2018
• Group Formalization and Attention Seeking: 2018–2020
• Extortion Platform Consolidation: 2020–2023
• Cloud Extortion and Identity Abuse: 2024–2025
• Role of Specialized Communities

Here’s the link with more details: https://flashpoint.io/blog/data-extortion-ttps-exploiting-code-people/.

We’ve all heard about a new wave of breaches that was sparked by a single stolen employee credential which marked the dawn of a new era in cyber risk: the rise of information-stealing malware (“infostealers”). This year alone, Flashpoint has identified over 1.8 billion stolen credentials circulating across illicit marketplaces, fueling identity-based attacks at an incredible and still growing scale.

To help organizations fight back, Flashpoint is releasing The Proactive Defender’s Guide to Infostealers—a practical resource for IT, Threat Intelligence, and Fraud teams. The 22-page guide provides:

• A breakdown of the most prolific infostealers and their role in modern attack chains – Learn which strains are the most popular, how they incorporate tactics such as vulnerability exploits and ransomware, and how you can better defend against them. 
• Strategies for managing the identity attack surface – Understand how threat actors weaponize stolen identities, and how your team can monitor, prioritize, and respond before damage is done. 
• Guidance on operationalizing infostealer intelligence for proactive defense – Leverage Flashpoint’s comprehensive infostealer intelligence to reverse-engineer data dumps, understand infection trends, and address potential security gaps before threat actors exploit them.

 The report can be here, and a blog post about the report is here.

Today I have a backgrounder on the threat actor known as Scattered Spider that’s been provided to me by Flashpoint. Backgrounders like this one take a lot of time and effort to research so shoutout to Flashpoint for providing me with this.

You can read the backgrounder here: https://flashpoint.io/blog/scattered-spider-threat-profile/?CRO1=control_%233007%2Cvariant_%231027

It goes into detail about the threat actor and their recent arrest which I will get to in a future post. But in the meantime, I would encourage to read this as it is well worth your attention.

This afternoon, Flashpoint announced in a blog post the Flashpoint Investigation Management’s new AI-powered capabilities that allow customers to upload your own findings, choose what to summarize, use smart prompts, and chat with AI for follow-up analysis, all within a single investigation workspace. Flashpoint also provides a video walkthrough here.

AI is only as good as the data it’s built on. There’s no shortage of “AI assistants” in cybersecurity right now. But most rely on generic models, scraped content, or siloed data and fall short when applied to the nuanced world of threat intelligence.

The news highlights how Flashpoint Is reinventing cyber threat investigations with AI and goes into depth on the following topics:

• Why Investigation Workflows Matter in Cyber Threat Intelligence
• What Is an AI-Powered Threat Investigation Workspace?
• How Analyst Teams Use Investigation’s Workspace
• How Flashpoint’s AI is Different

You can read their blog post here.

Executives don’t ask for “security data feeds.” They want to know: Are we exposed? What’s the impact? How do we respond? 

Modern threat intelligence teams are under constant pressure to deliver precise, contextual answers to these questions—not just for cybersecurity, but also for fraud, legal, insider risk, physical security, and more. These internal stakeholders demand clarity on issues like whether a brand is being directly targeted, who is behind a disinformation campaign, or what fraud tactics are emerging in closed, non-English-speaking communities. 

Flashpoint has released a guide on primary source collection entitled Upgrade Your Threat Intelligence: Gain the Primary Source Advantage.

Traditional “data-first” frameworks produce breadth without depth, forcing teams into a passive role. Such questions can’t be answered by static dashboards or broad threat feeds; they require direct access to original sources, adaptive collection, and expert analysis that ties threats to business impact.

In this report Flashpoint lays out how Primary Source Collection changes the equation of doing data collection the usual way. Without this approach, organizations risk blind spots—unmonitored closed communities, fast-moving threats missed by rigid collection schedules, and generic context divorced from business needs. 

You can read the report here: http://flashpoint.io/resources/e-book/threat-intelligence-gain-primary-source-advantage

Flashpoint just released its Global Threat Intelligence Index: 2025 Midyear Edition (Jan. 1-June 30, 2025). Flashpoint also has a companion blog here.

Serving as a companion to the Flashpoint 2025 Global Threat Intelligence Report (GTIR), this mid-year update delivers new intelligence on the fast-moving trends, tools, and tactics shaping the volatile threat landscape. In the four months since the GTIR’s publication, Flashpoint has observed the following rapid escalations in threat activity in 2025, with these percentages reflecting growth since the beginning of the year:

• The theft of credentials via information-stealing malware has skyrocketed by 800%.
• Vulnerability disclosures increased by 246%, with publicly-available exploits rising by 179%.
• Ransomware incidents rose by 179%.
• Data breaches have surged by 235%.

This report and the companion blog post are very much worth your time to read if you’re responsible for defending your environment from threats.