According to Dark Reading, 2025 was defined by a relentless Chinese state-sponsored hacking group, severe budget cuts at a key US cybersecurity agency, and a devastating software vulnerability. The APT group Salt Typhoon, also known as Operator Panda, continued its espionage campaign, hacking telecom giants like Verizon and AT&T and even breaching the US National Guard for nearly a year. In a major policy shift, the Cybersecurity and Infrastructure Security Agency (CISA) faced significant layoffs and budget cuts under the Trump administration, which also shut down the Cyber Safety Review Board. Technically, the year was rocked by React2Shell, a CVSS 10.0 vulnerability in the ubiquitous React framework that was exploited within hours, potentially affecting a third of cloud providers. The year also saw the rise of Shai-Hulud, a self-propagating open source malware worm, and major supply-chain attacks targeting hundreds of companies through their Salesforce integrations.
Salt Typhoon The Unrelenting Spy
Here’s the thing about state-sponsored hackers: they don’t take years off. Salt Typhoon’s ongoing campaign is a masterclass in long-term persistence. They’re not just stealing data; they’re burrowing into the core infrastructure of telecoms and even the National Guard, pre-positioning themselves for God-knows-what. Adam Meyers from CrowdStrike nails it by pointing out their focus on internet-connected devices—routers, VPNs, security gear. These are the unglamorous, often forgotten boxes that don’t get regular patches or host fancy EDR software. It’s a brutal reminder that your security is only as strong as your most neglected device. For enterprises, especially in critical infrastructure, this screams the need for that “unified, cross-domain visibility” Meyers mentions. Basically, if you can’t see everything, you’re already compromised.
CISA Cuts A Different Kind Of Threat
This one is infuriating because it’s a self-inflicted wound. The layoffs and budget cuts at CISA, detailed in reports from Cybersecurity Dive, represent a threat of a completely different category. It’s not a flaw in code; it’s a flaw in policy. When John Bambenek says the immediate impact is felt by state and local governments, it’s a huge deal. We’re talking about small towns near military bases suddenly having to fend off nation-state spies on their own. CISA provided a force multiplier—vulnerability guidance, incident response, election security support. Dismantling that under the guise of getting “on mission” or fighting a “ministry of truth” is dangerously short-sighted. It basically tells every local water utility and school district they’re on their own. Good luck with that.
React2Shell Log4Shell’s Ghost
Did we learn nothing? React2Shell feels like a brutal re-run of the Log4Shell nightmare. A ubiquitous piece of software, a max-score CVSS 10.0 vulnerability, and exploitation in hours. Stephen Fewer from Rapid7 puts the scale in perspective: over half a million affected public domains, and that’s just what’s visible on the internet. The internal network exposure is a giant unknown. The real kicker is the downstream framework impact—Next.js and others. It creates a sprawling, tangled attack surface. For developers and cloud providers, the patching frenzy was a panic-induced scramble. It exposes the fundamental risk of our dependence on these massive open-source projects. One critical flaw can bring the whole house down. Again.
Shai-Hulud And Salesforce The New Attack Surfaces
The final two threats show attackers getting smarter about where to hit us. Shai-Hulud is terrifying because it weaponizes trust and automation. It’s not attacking a vulnerability; it’s poisoning the well of open-source components that every developer automatically trusts. As Justin Moore from Palo Alto Networks notes, it creates a “massive, multilayered attack surface” from a single compromise. It turns the software supply chain into a weapon that spreads itself. And then you have the Salesforce campaigns. Jaime Blasco is right—it’s the data. Salesforce is where the business credentials and high-value tickets live. Attacking it, and the OAuth tokens that connect it to other apps like Salesloft, is a brilliant way to achieve massive supply-chain impact. These attacks aren’t about breaking down walls anymore. They’re about walking through the integrated, trusted doors we’ve built between all our SaaS apps. So, what’s your weakest integration?
