{"id":106304,"date":"2026-01-08T00:00:00","date_gmt":"2026-01-07T22:00:00","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?post_type=zero-post&#038;p=106304"},"modified":"2026-02-27T20:38:11","modified_gmt":"2026-02-27T18:38:11","slug":"last-week-in-appsec-for-08-january-2026","status":"publish","type":"zero-post","link":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-08-january-2026\/","title":{"rendered":"Last Week in AppSec for 08. January 2026"},"content":{"rendered":"<style type=\"text\/css\">@import url(\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/styles\/vs2015.min.css\");@font-face{font-family:'Hack';src:url('https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/hack-font\/3.3.0\/web\/fonts\/hack-regular-subset.woff2') format('woff2')}:root{--code-font:'Hack','Menlo','Consolas',monospace !important;--code-bg:#1e1e1e;--code-color:#0c1;--code-dim:#071;--text-color:#121185;--highlight-color:#f8ff91;--highlight-color-alt:#736ca0}article.content{max-width:100% !important;min-width:80% !important;width:99% !important}.wp-block-code code{text-wrap:nowrap !important}figure{margin-top:1.5rem;margin-bottom:1.5rem}p.caption,figcaption{font-size:1rem !important;font-style:italic !important;color:var(--code-dim) !important}p.caption *,figcaption *{font-size:inherit !important}div.callout{max-width:80% !important;padding-top:.5rem;padding-bottom:.5rem;margin-top:1rem;margin-bottom:1rem;display:block;margin-left:10%;border-top:.3rem solid #121185;border-bottom:.3rem solid #121185}div.callout p{font-size:x-large;text-align:left;font-weight:bold}.cxzero-video-include{display:block;max-width:1920px;width:100%;padding-top:1rem;padding-bottom:1rem}.cxzero-video-include video{display:block;padding:.5rem;background-color:var(--code-bg);width:98%;object-fit:cover}pre.wp-block-code,pre.highlighted-code,pre.sourceCode,pre{border:1px solid var(--code-color);width:90%;background-color:var(--code-bg);color:var(--code-color);margin:1em;padding:2em;overflow-x:scroll;font-family:var(--code-font);font-size:10.5pt;line-height:1.1em;text-wrap:nowrap !important;box-shadow:5px 5px 13px 0 var(--code-bg)}* kbd,* code,* tt{font-family:var(--code-font);padding-inline:.5em;color:var(--code-dim);font-size:85%}pre code{color:var(--code-color);font-size:90%}pre.highlighted-code span{font-family:var(--code-font);font-size:10.5pt;color:var(--code-color)}pre.highlighted-code span.comment{font-style:italic;color:var(--code-dim)}pre.highlighted-code span.keyword,pre.highlighted-code span.preproc{font-weight:bold;font-style:oblique}blockquote,blockquote *{font-size:1.375rem !important;font-style:italic !important}blockquote{border-left:.1rem solid;padding-left:1rem}mark,mark *{background-color:var(--highlight-color) !important}mark.ai-content,mark.ai-content *{background-color:var(--highlight-color-alt) !important;color:#fff !important}.cxzero-cve-block{border:1px solid var(--code-color,#0c1);padding:.5rem;p{padding:0;margin:0}span.vulndesc{display:block;font-size:.9rem;font-weight:400;font-style:italic}span.cvss::before{content:\"  \"}span.cvss{background:#fe0}span.cvss.critical{background:#c00;color:#eee}span.cvss.high{background:#ffac1c;color:#0015ff}span.vector::before{content:\"\u25b8\"}span.vector,span.vector *{overflow-wrap:break-word;font-family:var(--code-font);font-size:10pt}.kev{display:block;font-weight:bold}.kev::before{content:\"\u203c\ufe0f\"}}.print-source-info{display:none}@media print{.header,.header *,.article-nav,.article-nav *,.aticle-nav,.aticle-nav *,.section_latest,.section-latest *,footer,footer *,.section-menu-page,.section-menu-page *,.top-menu,.top-menu *,.top-menu__container,.top-menu__container *,.section-zero-article,.section-zero-article *{display:none}@page{margin:13mm !important}.section-aticle-header__image-or-video{max-width:125mm}.print-source-info{display:block;border-left:.2rem solid #000;font-style:italic !important;font-size:85%;padding-left:1rem}}<\/style> <script src=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/highlight.min.js\" integrity=\"sha512-EBLzUL8XLl+va\/zAsmXwS7Z2B1F9HUHkZwyS\/VKwh3S7T\/U0nF4BaU29EP\/ZSf6zgiIxYAnKLu6bJ8dqpmX5uw==\" crossorigin=\"anonymous\" referrerpolicy=\"no-referrer\"><\/script> <script>hljs.highlightAll();<\/script> \n\n\n\n<p class=\"print-source-info\"><script>document.write(\"Copyright Checkmarx, all rights reserved. Retrieved \"+new Date().toLocaleDateString()+\" from<br\/>\"+window.location.href);<\/script><noscript>This document copyright Checkmarx, all rights reserved.<\/noscript><\/p>\n\n\n\n\n<p>\n  In this edition of <em>Last Week In AppSec,<\/em> we have a host of\n  vulnerabilities along with a few other items of note:\n<\/p>\n<ol type=\"1\">\n  <li><p>Changes to the series for 2026,<\/p><\/li>\n  <li><p>React2Shell exploitation continues,<\/p><\/li>\n  <li><p>Shai-Hulud 3.0 turns out not to be a thing,<\/p><\/li>\n  <li><p>MongoBleed leaks secrets from MongoDB servers,<\/p><\/li>\n  <li>\n    <p>\n      The AdonisJS web framework struggles to handle multipart form data\n      (arbitrary file write),\n    <\/p>\n  <\/li>\n  <li>\n    <p>\n      The RustFS distributed object store hardcodes a gRPC token leading to auth\n      bypass\n    <\/p>\n  <\/li>\n<\/ol>\n<h2 id=\"changes-to-the-last-week-in-appsec-series-for-2026\" class=\"article-anchor\">\n  Changes to the <em>Last Week In AppSec<\/em> series for 2026\n<\/h2>\n<p>\n  I started writing this series last year as an experiment and learned quite a\n  bit. Based on reader feedback and a handful of other factors, there will be a\n  few changes to it in 2026, and a few things that will stay very much the same:\n<\/p>\n<ul>\n  <li>\n    <p>The feature will publish on Thursdays rather than early in the week<\/p>\n  <\/li>\n  <li>\n    <p>\n      I\u2019m removing the constraint of only talking about things that didn\u2019t get\n      attention. I\u2019ll still look for those, but the focus will be on things that\n      are interesting and impactful for defenders.\n    <\/p>\n  <\/li>\n  <li>\n    <p>\n      I\u2019m still not going to use AI to write or edit. However, I\n      <em>will<\/em> use AI tools in a targeted way to make educated guesses.\n      AI-produced content will be\n      <mark class=\"ai-content\">highlighted like so<\/mark> (for \u201cview source\u201d\n      nerds: `&lt;mark class=&#8221;ai-content\u201d&gt;`), or otherwise unambiguously\n      labeled. The \u201cfeature images\u201d on each article are all AI-generated\n      illustrations.\n    <\/p>\n  <\/li>\n  <li>\n    <p>\n      I\u2019m going to make an effort to have more detailed information about\n      vulnerability advisories we cover in the series, making sure to include\n      at-a-glance information that\u2019s critical for defenders. This will evolve as\n      the year goes on, and will probably be ugly: I\u2019m a researcher, not a\n      designer \ud83d\ude09\n    <\/p>\n  <\/li>\n  <li>\n    <p>\n      There will be weeks when it doesn\u2019t make sense to publish\n      <em>Last Week In AppSec<\/em>, and I just\u2026 won\u2019t. If I\u2019m on vacation, if\n      there\u2019s a large incident in the industry that I\u2019m helping Checkmarx\n      customers navigate (*cough* Shai-Hulud *cough*), etc. then it might just\n      get skipped without comment.\n    <\/p>\n  <\/li>\n<\/ul>\n<p>\n  I\u2019m looking forward to continuing to do this in 2026, and I hope you\u2019re\n  looking forward to reading!\n<\/p>\n<h2 id=\"react2shell-exploitation-just-keeps-on-going\" class=\"article-anchor\">\n  React2Shell exploitation just keeps on going\n<\/h2>\n<div id=\"CVE-2025-55182\" class=\"cxzero-cve-block\">\n  <p>\n    <a href=\"https:\/\/devhub.checkmarx.com\/cve-details\/CVE-2025-55182\/\" class=\"vulnid\">CVE-2025-55182<\/a>\n    <span class=\"cvss critical\">CVSS v3.1 10.0<\/span>\n    <span class=\"vector\"><a href=\"https:\/\/www.first.org\/cvss\/calculator\/3-1#CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H\">CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H<\/a><\/span>\n    <span class=\"vulndesc\">React2Shell: A pre-authentication remote code execution vulnerability\n      exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and\n      19.2.0<\/span>\n  <\/p>\n<\/div>\n<p>\n  The\n  <a href=\"https:\/\/checkmarx.com\/zero-post\/react2shell-cve-2025-55182-deserialization-to-remote-code-execution-in-react-and-next-js\/\">React2Shell<\/a>\n  vulnerability from 03. December 2025 remains persistent, and is being actively\n  exploited as\n  <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/threat-actors-exploit-react2shell-cve-2025-55182\">Google reported on 12. December<\/a>. Payloads observed include:\n<\/p>\n<ul>\n  <li>MINOCAT<\/li>\n  <li>SNOWLIGHT<\/li>\n  <li>COMPOOD<\/li>\n  <li>HISONIC<\/li>\n  <li>ANGRYREBEL<\/li>\n<\/ul>\n<p>\n  Patching your own React and Next.js applications is critical, as is ensuring\n  that vendor and cloud applications have received appropriate patches. Read\n  <a href=\"https:\/\/checkmarx.com\/zero-post\/react2shell-cve-2025-55182-deserialization-to-remote-code-execution-in-react-and-next-js\/\">Checkmarx Zero\u2019s analysis<\/a>\n  for details.\n<\/p>\n<h3 id=\"checkmarx-support\">Checkmarx support<\/h3>\n<p>\n  React2Shell is detected by\n  <a href=\"https:\/\/checkmarx.com\/cxsca-open-source-scanning\/\">Checkmarx SCA<\/a>,\n  so your regular SCA scans should report this impact. You can also use your\n  <a href=\"https:\/\/docs.checkmarx.com\/en\/34965-19146-viewing-the-global-inventory-and-risks-page.html\">Global Inventory &amp; Risks view<\/a>\n  to search for <code>react<\/code> and <code>next<\/code> to find out if you\u2019re\n  using those components. Consult with your support team for assistance.\n<\/p>\n<h2 id=\"shai-hulud-3.0-is-a-stunted-worm-and-we-dont-even-get-water-of-life\" class=\"article-anchor\">\n  Shai-Hulud 3.0 is a stunted worm, and we don\u2019t even get Water of Life\n<\/h2>\n<p>\n  (Too much\n  <a href=\"https:\/\/dune.fandom.com\/wiki\/Water_of_Life#Sources\"><em>Dune<\/em> nerdery?<\/a>\n  No? Fantastic.)\n<\/p>\n<div id=\"CVE-2025-55182\" class=\"cxzero-cve-block\">\n  <p>\n    <a href=\"https:\/\/osv.dev\/vulnerability\/MAL-2025-192994\">MAL-2025-192994<\/a>;\n    Checkmarx MPIAPI ID\n    <span class=\"vector\">f935aa42e43dd2353de683ad8b4be195ad21ce1a<\/span>\n    <span class=\"vulndesc\"><strong><span class=\"citation\" data-cites=\"vietmoney\/react-big-calendar\">@vietmoney\/react-big-calendar<\/span><span class=\"citation\" data-cites=\"0.26.2\">@0.26.2<\/span><\/strong>\n      contains malicious content including data exfiltration and a failed\n      attempt at self-replication<\/span>\n  <\/p>\n<\/div>\n<p>\n  Despite a few researchers sounding alarms over a \u201cShai-Hulud 3.0\u201d, the actual\n  vulnerability turned out to be kind of a dud. This looks a lot to me like\n  someone experimenting with\n  <a href=\"https:\/\/checkmarx.com\/zero-post\/inside-shai-huluds-maw-how-the-npm-worm-exploits-and-propagates\/\">the tactics of Shai-Hulud<\/a>, but failing and producing a stunted worm incapable of causing widespread\n  damage.\n<\/p>\n<p>\n  The infected package is not in widespread use, so it\u2019s unlikely you\u2019re\n  affected. But the following IOCs may be of use:\n<\/p>\n<pre><code>&quot;ioc&quot;: [\n            &quot;4d6b9efc22ec229be58b90c7991c02dd&quot;,\n            &quot;6914d930998108adfc93b7fe1aa3e64e&quot;,\n            &quot;github\/workflows\/discussion.yaml&quot;,\n            &quot;github\/workflows\/formatter_123456789.yml&quot;\n        ],<\/code><\/pre>\n<h3 id=\"checkmarx-support-1\">Checkmarx Support<\/h3>\n<p>\n  <a href=\"https:\/\/checkmarx.com\/cxsca-open-source-scanning\/\">Checkmarx SCA<\/a>\n  will detect this package (as well as the packages known to be impacted by\n  <a href=\"https:\/\/checkmarx.com\/zero-post\/inside-shai-huluds-maw-how-the-npm-worm-exploits-and-propagates\/\">prior Shai-Hulud variants<\/a>) for customers with the\n  <a href=\"https:\/\/checkmarx.com\/product\/malicious-packages\/\">MPP<\/a> add-on\n  (included with\n  <a href=\"https:\/\/checkmarx.com\/packaging\/\">Checkmarx One Professional and Enterprise bundles<\/a>).\n<\/p>\n<p>\n  Advanced orgs who have purchased the\n  <a href=\"https:\/\/checkmarx.com\/malicious-packages-identification-api\/\">Malicious Package Identification<\/a>\n  product (not included with Checkmarx One) can use it to query up-to-date IOCs\n  and get further information about the risk.\n<\/p>\n<h2 id=\"mongobleed-data-leaking-from-mongodb-servers\" class=\"article-anchor\">\n  MongoBleed: data leaking from MongoDB servers\n<\/h2>\n<div id=\"CVE-2025-14847\" class=\"cxzero-cve-block\">\n  <p>\n    <a href=\"https:\/\/devhub.checkmarx.com\/cve-details\/CVE-2025-14847\/\" class=\"vulnid\">CVE-2025-14847<\/a>\n    <span class=\"cvss high\">CVSS v4.0 8.7<\/span>\n    <span class=\"vector\"><a href=\"https:\/\/www.first.org\/cvss\/calculator\/4-0#CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/VI:N\/VA:N\/SC:N\/SI:N\/SA:N\">CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/VI:N\/VA:N\/SC:N\/SI:N\/SA:N<\/a><\/span>\n    <span class=\"vulndesc\">React2Shell: A pre-authentication remote code execution vulnerability\n      exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and\n      19.2.0<\/span>\n    <span class=\"kev\">Appears in\n      <a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14847\">CISA KEV<\/a><\/span>\n  <\/p>\n<\/div>\n<p>\n  Attackers who can manage to control zlib-compressed wire-protocol messages\n  sent to a MongoDB server, either directly over the network or by tampering\n  with application inputs, can cause MongoDB to leak contents of the host\u2019s heap\n  memory. A patient attacker can use this to recover memory fragments that\n  contain important secrets, such as encryption keys, authentication tokens, and\n  so on.\n<\/p>\n<p>\n  While most organizations\u2019 environmental controls (such as placing strict\n  limits on network access to MongoDB instances) will significantly reduce the\n  likelihood of exploitation, the impact is high enough to take this seriously.\n  Especially because it has been disclosed to the CISA KEV (Known Exploited\n  Vulnerabilities), which speaks to its reproducibility.\n<\/p>\n<p>In short:<\/p>\n<ul>\n  <li>\n    Make sure untrusted and public networks don\u2019t have access to port 27017 (or\n    any alternative MongoDB port)\n  <\/li>\n  <li>\n    Examine <abbr name=\"Infrastructure as Code\">IaC<\/abbr> configurations to\n    determine if your deployments are unsafely exposing MongoDB instances\n  <\/li>\n  <li>\n    Ensure you update to a patched version of MongoDB Server: 8.2.3, 8.0.17,\n    7.0.28, 6.0.27, 5.0.32, or 4.4.30; versions at or above these releases\n    should be safe from this issue\n  <\/li>\n  <li>\n    If you see evidence of exposure or exploitation, rotate any credentials and\n    keys that might be in use on the MongoDB host\n  <\/li>\n<\/ul>\n<h3 id=\"checkmarx-support-2\">Checkmarx Support<\/h3>\n<p>\n  Checkmarx Zero\u2019s open source offerings include a free and open source\n  Infrastructure as Code (IaC) scanner: <a href=\"https:\/\/kics.io\/\">KICS<\/a>,\n  which can identify ports open to public networks within many types of IaC\n  systems.\n<\/p>\n<h2 id=\"adonisjs-can-write-arbitrary-files-to-its-server\" class=\"article-anchor\">\n  AdonisJS can write arbitrary files to its server\n<\/h2>\n<div id=\"CVE-2026-21440\" class=\"cxzero-cve-block\">\n  <p>\n    <a href=\"https:\/\/devhub.checkmarx.com\/cve-details\/CVE-2026-21440\/\" class=\"vulnid\">CVE-2026-21440<\/a>\n    <span class=\"cvss critical\">CVSS v4.0 9.2<\/span>\n    <span class=\"vector\"><a href=\"https:\/\/www.first.org\/cvss\/calculator\/4-0#CVSS:4.0\/AV:N\/AC:L\/AT:P\/PR:N\/UI:N\/VC:H\/VI:H\/VA:H\/SC:N\/SI:N\/SA:N\">CVSS:4.0\/AV:N\/AC:L\/AT:P\/PR:N\/UI:N\/VC:H\/VI:H\/VA:H\/SC:N\/SI:N\/SA:N<\/a><\/span>\n    <span class=\"vulndesc\"><span class=\"citation\" data-cites=\"adonisjs\/bodyparser\">@adonisjs\/bodyparser<\/span>\n      applications that handle multipart form data and save files allow\n      arbitrary file creation and replacement, through version 10.1.1 and 11.x\n      prerelease versions prior to 11.0.0-next.6<\/span>\n  <\/p>\n<\/div>\n<p>\n  If developers consuming the AdonisJS <code>BodyParser<\/code> use\n  <code>MultipartFile.move()<\/code> with defaults for\n  <code>options.name<\/code> and\/or <code>options.overwrite<\/code>, and an\n  attacker finds out, then that attacker can specify an arbitrary relative path\n  and create or overwrite files on the server.\n<\/p>\n<p>You\u2019re likely affected if:<\/p>\n<ul>\n  <li>\n    you have a vulnerable version of AdonisJS (prior to 10.1.1 or 11.x\n    prereleases before 11.0.0-next.6) in an application\n  <\/li>\n  <li>\n    that application accepts file uploads as <code>MultipartFile<\/code> using\n    <code>BodyParser<\/code>\n  <\/li>\n  <li>\n    the application calls <code>Multipart.move(filename, options)<\/code>, and\n    either omits <code>options<\/code> or provides one without a sanitized\n    <code>options.name<\/code>. This can lead to writing files that don\u2019t yet\n    exist.\n  <\/li>\n  <li>\n    the <code>options<\/code> above also accepts default\n    <code>options.overwrite<\/code> or sets it to <code>True<\/code>. With all of\n    the above, this results in being able to overwrite any file the application\n    has write access to.\n  <\/li>\n<\/ul>\n<p>Patch to 10.1.1 to repair.<\/p>\n<p>Mitigations include:<\/p>\n<ul>\n  <li>\n    Identify applications with the vulnerable components; find unsafe uses of\n    <code>MultipartFile.move()<\/code> and improve them.\n    <strong>You should consider this even if you choose to patch, as it provides\n      defense in depth.<\/strong>\n  <\/li>\n  <li>\n    Ensure web applications run with restricted user accounts in sandboxed\n    environments. System-level access restrictions can prevent serious damage in\n    many cases.\n  <\/li>\n<\/ul>\n<h3 id=\"checkmarx-support-3\">Checkmarx Support<\/h3>\n<p>\n  Your regular\n  <a href=\"https:\/\/checkmarx.com\/cxsca-open-source-scanning\/\">Checkmarx SCA<\/a>\n  scans should report this risk. You can also use your\n  <a href=\"https:\/\/docs.checkmarx.com\/en\/34965-19146-viewing-the-global-inventory-and-risks-page.html\">Global Inventory &amp; Risks view<\/a>\n  to search for <code>@adonisjs\/bodyparser<\/code> to find out if you\u2019re using\n  that component. Consult with your support team if you need assistance with\n  this.\n<\/p>\n<h2 id=\"rustfs-hardcoded-credential-leads-to-auth-bypass-in-rpc-component\" class=\"article-anchor\">\n  RustFS hardcoded credential leads to auth bypass in RPC component\n<\/h2>\n<div id=\"CVE-2025-68926\" class=\"cxzero-cve-block\">\n  <p>\n    <a href=\"https:\/\/devhub.checkmarx.com\/cve-details\/CVE-2025-68926\/\" class=\"vulnid\">CVE-2025-68926<\/a>\n    <span class=\"cvss critical\">CVSS v3.1 9.8<\/span>\n    <span class=\"vector\"><a href=\"https:\/\/www.first.org\/cvss\/calculator\/3-1#CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H\">CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H<\/a><\/span>\n    <span class=\"vulndesc\">RustFS distributed object storage system versions prior to 1.0.0-alpha.78\n      use a hardcoded token allowing clients to bypass auth<\/span>\n  <\/p>\n<\/div>\n<p>\n  The RustFS object storage system maintainers are learning the pain that comes\n  with hardcoded credentials. In this case, though, the credential that\u2019s in\n  their GitHub repository isn\u2019t for some other remote system: it\u2019s for RustFS\n  itself.\n<\/p>\n<p>\n  Devs included the token <code>\"rustfs rpc\"<\/code> in their code, and checked\n  it in to both client and server components. RustFS uses this to enable gRPC\n  communication between client and server, and there\u2019s no mechanism to rotate it\n  in the affected versions.\n<\/p>\n<p>\n  This means that if an attacker can see the gRPC port of a RustFS client or\n  server, they can establish an authenticated channel that lets them destroy\n  objects, change policies, and reconfigure RustFS clusters. Whoops.\n<\/p>\n<p>\n  In my experience, this sort of thing is a lot easier to do by accident than\n  people think. As you\u2019re trying to get something to work (remember, this is\n  still pre-1.0!), sometimes you take a shortcut and forget to go back and fix\n  it. And then someone uses it in production, and bad things happen.\n<\/p>\n<p>\n  You\u2019re impacted by this if you have a RustFS cluster with a version older than\n  1.0.0-alpha.78. If you do, patch right away.\n<\/p>\n<p>\n  Mitigation options include blocking access to gRPC ports, though this can\n  degrade service depending on your requirements.\n<\/p>\n<h3 id=\"checkmarx-support-4\">Checkmarx Support<\/h3>\n<p>\n  We can help you avoid similar situations in your own code. Your\n  <a href=\"https:\/\/checkmarx.com\/cxsast-source-code-scanning\/\">Checkmarx SAST<\/a>\n  scan is capable of detecting hard-coded credentials, including gRPC tokens.\n  Selecting the appropriate policy and query configuration is important to\n  discovering such tokens; seek help from your support team if you\u2019re not sure\n  how to detect hardcoded credentials.\n<\/p>\n<p>\n  Customer or not, Checkmarx Zero offers an open-source secrets scanner that can\n  stand alone: check out <strong>2MS<\/strong> (are you interested in Setec\n  Astronomy?) from our\n  <a href=\"https:\/\/checkmarx.com\/zero\/tools\/\">tools page<\/a>.\n<\/p>\n\n\n\n\n<style type=\"text\/css\">.cxzero-social{margin-top:1em;padding-top:1em;border-top:1px solid #121086;border-bottom:1px solid #121086;padding-bottom:1em}.cxzero-social p{padding-top:.8em}.cxzero-social .cxzero-social-links{margin-left:.8em}.cxzero-social .social-link{margin-left:.6em}.cxzero-social .social-button{padding:.6em;margin:.2em .2em .2em .2em;white-space:nowrap}.cxzero-social .social-button svg,.cxzero-social .social-link svg{vertical-align:middle;height:1.3em}.cxzero-social .social-button a,.cxzero-social .social-link a{text-decoration:none !important}<\/style> <div class=\"cxzero-social\">\n<p> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/www.linkedin.com\/sharing\/share-offsite\/?url={url}\" onload=\"\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"LinkedIn Icon\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> Share on LinkedIn<\/a><\/span> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/bsky.app\/intent\/compose?text=I%20just%20read%20%22{title}%22%20from%20Checkmarx%20Zero%20{url}\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Bluesky Icon\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> Share on Bluesky<\/a><\/span> <\/p>\n<p class=\"cxzero-social-links\">Follow <a href=\"\/zero\/\">Checkmarx Zero<\/a>: <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/www.linkedin.com\/showcase\/checkmarx-zero\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"Checkmarx Zero on LinkedIn\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-icon\" href=\"https:\/\/bsky.app\/profile\/checkmarxzero.bsky.social\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Checkmarx Zero on Bluesky\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/x.com\/CheckmarxZero\"><svg alt=\"Checkmarx Zero on X\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" viewbox=\"0 0 512 462.799\"><path fill-rule=\"nonzero\" d=\"M403.229 0h78.506L310.219 196.04 512 462.799H354.002L230.261 301.007 88.669 462.799h-78.56l183.455-209.683L0 0h161.999l111.856 147.88L403.229 0zm-27.556 415.805h43.505L138.363 44.527h-46.68l283.99 371.278z\"><\/path><\/svg> <\/a><\/span> <\/p> <script>function social_action_template(a){const b=encodeURIComponent(window.location.href);const c=document.querySelector(\"h1\");let headContent=(c==null?\"\":c.textContent);let processed=a.replace(\/\\{title\\}\/g,encodeURIComponent(headContent));processed=processed.replace(\/\\{url\\}\/g,b);return processed}var socialAction=document.getElementsByClassName(\"social-action\");console.log(socialAction);for(e=0;e<socialAction.length;e++){element=socialAction.item(e);console.log(element);element.href=social_action_template(element.href)};<\/script> <\/div>","protected":false},"excerpt":{"rendered":"<p>React2Shell keeps going, Shai-Hulud doesn&#8217;t. MongoDB and RustFS have problems. AdonisJS could write arbitrary files. 08. January 2026: Last Week In AppSec<\/p>\n","protected":false},"author":137,"featured_media":106306,"template":"","zero-category":[1333],"zero-tag":[1338,1342,1479,1337,1483,1071],"class_list":["post-106304","zero-post","type-zero-post","status-publish","has-post-thumbnail","hentry","zero-category-security-news","zero-tag-javascript","zero-tag-last-week-in-appsec","zero-tag-mongodb","zero-tag-npm","zero-tag-rust","zero-tag-supply-chain-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Last Week in AppSec for 08. January 2026 - Checkmarx<\/title>\n<meta name=\"description\" content=\"React2Shell keeps going, Shai-Hulud doesn&#039;t. MongoDB and RustFS have problems. AdonisJS could write arbitrary files. 08. January 2026: Last Week In AppSec\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-08-january-2026\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Last Week in AppSec for 08. January 2026 - Checkmarx\" \/>\n<meta property=\"og:description\" content=\"React2Shell keeps going, Shai-Hulud doesn&#039;t. MongoDB and RustFS have problems. AdonisJS could write arbitrary files. 08. January 2026: Last Week In AppSec\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-08-january-2026\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-27T18:38:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/cxzero-2026-01-08_last-week-in-appsec.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-08-january-2026\/\",\"url\":\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-08-january-2026\/\",\"name\":\"Last Week in AppSec for 08. January 2026 - Checkmarx\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-08-january-2026\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-08-january-2026\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/cxzero-2026-01-08_last-week-in-appsec.webp\",\"datePublished\":\"2026-01-07T22:00:00+00:00\",\"dateModified\":\"2026-02-27T18:38:11+00:00\",\"description\":\"React2Shell keeps going, Shai-Hulud doesn't. MongoDB and RustFS have problems. AdonisJS could write arbitrary files. 08. January 2026: Last Week In AppSec\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-08-january-2026\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-08-january-2026\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/cxzero-2026-01-08_last-week-in-appsec.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/cxzero-2026-01-08_last-week-in-appsec.webp\",\"width\":2560,\"height\":1280,\"caption\":\"A graffiti style image showing workers working on servers with labels of several open-source systems.\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Last Week in AppSec for 08. January 2026 - Checkmarx","description":"React2Shell keeps going, Shai-Hulud doesn't. MongoDB and RustFS have problems. AdonisJS could write arbitrary files. 08. January 2026: Last Week In AppSec","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-08-january-2026\/","og_locale":"en_US","og_type":"article","og_title":"Last Week in AppSec for 08. January 2026 - Checkmarx","og_description":"React2Shell keeps going, Shai-Hulud doesn't. MongoDB and RustFS have problems. AdonisJS could write arbitrary files. 08. January 2026: Last Week In AppSec","og_url":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-08-january-2026\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2026-02-27T18:38:11+00:00","og_image":[{"width":2560,"height":1280,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/cxzero-2026-01-08_last-week-in-appsec.webp","type":"image\/webp"}],"twitter_card":"summary_large_image","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-08-january-2026\/","url":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-08-january-2026\/","name":"Last Week in AppSec for 08. January 2026 - Checkmarx","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-08-january-2026\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-08-january-2026\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/cxzero-2026-01-08_last-week-in-appsec.webp","datePublished":"2026-01-07T22:00:00+00:00","dateModified":"2026-02-27T18:38:11+00:00","description":"React2Shell keeps going, Shai-Hulud doesn't. MongoDB and RustFS have problems. AdonisJS could write arbitrary files. 08. January 2026: Last Week In AppSec","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-08-january-2026\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-08-january-2026\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/cxzero-2026-01-08_last-week-in-appsec.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/cxzero-2026-01-08_last-week-in-appsec.webp","width":2560,"height":1280,"caption":"A graffiti style image showing workers working on servers with labels of several open-source systems."},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post\/106304","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/zero-post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/137"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/106306"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=106304"}],"wp:term":[{"taxonomy":"zero-category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-category?post=106304"},{"taxonomy":"zero-tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-tag?post=106304"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}