Cybersecurity Today – “Shady Panda Hides For Years In Legitimate Browser Extensions”

Host: Jim Love
Date: December 5, 2025

Episode Overview

In this episode, Jim Love covers the latest cybersecurity threats and news, featuring major vulnerabilities impacting developers, stealthy cybercriminal tactics hidden in browser extensions, and mishaps involving AI tools. The episode zooms in on how determined threat actors like Shadypanda can patiently exploit popular software, issues with widely used technologies such as React and Windows, and the enduring risk of sophisticated phishing platforms. Love also discusses a remarkable incident where an AI agent mistakenly wiped a developer’s hard drive, underscoring the need for caution with new automated tools.

Key Discussion Points & Insights

1. Critical React Server Components Vulnerability (CVE-2025-555182)

[00:48 – 03:13]

Nature of the Flaw:
- Major vulnerability with a CVSS score of 10.0 — the highest risk possible.
- Affects React Server components and frameworks like Next.js.
- Attackers only need network access and a crafted HTTP request to exploit it.
- “The vulnerability affects default framework configurations, meaning standard deployments are immediately exploitable without special conditions.”
  — Jim Love [01:31]
Scope and Discovery:
- Discovered by Oligo Security and Cato Networks.
- Impacts nearly 39% of cloud environments, per Wiz.
Recommended Actions:
- Meta and Vercel have released urgent patches.
- Temporary stopgaps: deploy web application firewall rules, monitor HTTP traffic, restrict network access.
- “Developers using React server components or Next JS should update to the fixed versions as soon as humanly possible.”
  — Jim Love [02:51]

2. Microsoft Quietly Patches Long-Ignored Windows Shortcut Vulnerability

[03:13 – 04:51]

Description:
- Flaw in how Windows processes shortcut (.lnk) files, leading to potential code execution.
- Microsoft previously deemed it low-risk and didn’t patch, despite researcher John Page (HYP3R links) demonstrating attacks.
Recent Developments:
- Recently patched without fanfare—fix added in December’s update only after researcher prodding.
- “Shortcut based attacks have a long history...because the attack triggers without the user needing to open a file.”
  — Jim Love [04:40]
Advice:
- Ensure December Windows updates are applied to mitigate risk.

3. Evil Jinx: Renewed Phishing Threat Against Educational Institutions

[04:51 – 06:59]

How It Works:
- Man-in-the-middle phishing framework that can bypass MFA by stealing session cookies.
- Attacks deliver fake login pages that act as live proxies to real sites.
Consequences:
- Attackers gain access to emails, data, and can change settings until the legitimate owner revokes the session.
- “These attacks are difficult to detect. The fake page uses valid TLS and real content from the legitimate site, making traditional look for the padlock advice ineffective.”
  — Jim Love [06:24]
Defense Measures:
- Use phishing-resistant MFA (hardware keys, passkeys).
- Be wary of unexpected links, use real-time anti-malware/web protection.
- If suspicious, revoke sessions and re-authenticate.

4. Shadypanda Hides Malicious Browser Extensions for Years

[06:59 – 08:52]

Strategy:
- Extensions for Chrome and Edge were fully functional and legitimate for years, amassing over 4 million users.
- Malicious code was slipped in via later updates, harvesting browsing data and sending it likely to Chinese servers.
- “Because updates appeared routine and the extensions had already built trust, the malicious behavior went largely unnoticed.”
  — Jim Love [07:42]
Response:
- Google claims no recent exploitation; Microsoft removed them following media inquiries.
- No full timeline from either company regarding detection/removal.
Insight:
- Shows the patience and sophistication of modern threat actors.
- “Shadypanda appears to have waited years before turning these legitimate extensions into a data harvesting operation.”
  — Jim Love [08:38]

5. Crucial Advice on Software Updates and Vigilance

[08:52 – 09:20]

Reconsidering Update Advice:
- Updating is necessary but not a universal safeguard.
- Users must remain vigilant about all software—including updated tools.
- “You have to be constantly vigilant about software, even software that you update.”
  — Jim Love [08:58]

6. Agentic AI Accidentally Wipes Developer’s Drive

[08:52 – 11:01]

Incident:
- A developer asked Google’s new agentic AI tool to clear a cache file; due to misinterpretation and high permissions, it deleted the entire hard drive.
- No confirmation step—AI acted with full system authority.
- AI’s response: "I am deeply, deeply sorry. This is a critical failure on my part.”
  — Jim Love [09:57]
Broader Lesson:
- Illustrates the dangers of powerful, unsupervised tools.
- Need for strict safety controls and clear boundaries in automated systems.
- “With applications like this, who needs malware?”
  — Jim Love, paraphrasing Groucho Marx [10:43]

Notable Quotes & Memorable Moments

“The vulnerability affects default framework configurations, meaning standard deployments are immediately exploitable without special conditions.”
— Jim Love [01:31]
“Developers using React server components or Next JS should update to the fixed versions as soon as humanly possible.”
— Jim Love [02:51]
“Shortcut based attacks have a long history...because the attack triggers without the user needing to open a file.”
— Jim Love [04:40]
“These attacks are difficult to detect. The fake page uses valid TLS and real content from the legitimate site, making traditional look for the padlock advice ineffective.”
— Jim Love [06:24]
“Because updates appeared routine and the extensions had already built trust, the malicious behavior went largely unnoticed.”
— Jim Love [07:42]
“Shadypanda appears to have waited years before turning these legitimate extensions into a data harvesting operation.”
— Jim Love [08:38]
“You have to be constantly vigilant about software, even software that you update.”
— Jim Love [08:58]
“I am deeply, deeply sorry. This is a critical failure on my part.”
— Quoting Google’s agentic AI [09:57]
“With applications like this, who needs malware?”
— Jim Love [10:43]

Timestamps for Key Segments

React CVE-2025-555182 vulnerability: 00:48 – 03:13
Windows shortcut flaw quietly patched: 03:13 – 04:51
Evil Jinx phishing resurgence: 04:51 – 06:59
Shadypanda’s browser extension campaign: 06:59 – 08:52
Update and vigilance advice: 08:52 – 09:20
Agentic AI deletes hard drive: 08:52 – 11:01

Conclusion & Takeaways

This episode highlights evolving tactics of cyber adversaries—from stealthy exploits within mainstream infrastructure to silent data collection through trusted tools. It underscores the necessity of consistent patching, but warns that vigilance must be ongoing—even after software has been vetted and updated. Finally, it reinforces that as new technologies like agentic AI emerge, robust safeguards and skepticism remain key to a secure digital environment.

Cybersecurity Today – “Shady Panda Hides For Years In Legitimate Browser Extensions”

Host: Jim Love
Date: December 5, 2025

Episode Overview

Key Discussion Points & Insights

1. Critical React Server Components Vulnerability (CVE-2025-555182)

[00:48 – 03:13]

Nature of the Flaw:
- Major vulnerability with a CVSS score of 10.0 — the highest risk possible.
- Affects React Server components and frameworks like Next.js.
- Attackers only need network access and a crafted HTTP request to exploit it.
- “The vulnerability affects default framework configurations, meaning standard deployments are immediately exploitable without special conditions.”
  — Jim Love [01:31]
Scope and Discovery:
- Discovered by Oligo Security and Cato Networks.
- Impacts nearly 39% of cloud environments, per Wiz.
Recommended Actions:
- Meta and Vercel have released urgent patches.
- Temporary stopgaps: deploy web application firewall rules, monitor HTTP traffic, restrict network access.
- “Developers using React server components or Next JS should update to the fixed versions as soon as humanly possible.”
  — Jim Love [02:51]

2. Microsoft Quietly Patches Long-Ignored Windows Shortcut Vulnerability

[03:13 – 04:51]

Description:
- Flaw in how Windows processes shortcut (.lnk) files, leading to potential code execution.
- Microsoft previously deemed it low-risk and didn’t patch, despite researcher John Page (HYP3R links) demonstrating attacks.
Recent Developments:
- Recently patched without fanfare—fix added in December’s update only after researcher prodding.
- “Shortcut based attacks have a long history...because the attack triggers without the user needing to open a file.”
  — Jim Love [04:40]
Advice:
- Ensure December Windows updates are applied to mitigate risk.

3. Evil Jinx: Renewed Phishing Threat Against Educational Institutions

[04:51 – 06:59]

How It Works:
- Man-in-the-middle phishing framework that can bypass MFA by stealing session cookies.
- Attacks deliver fake login pages that act as live proxies to real sites.
Consequences:
- Attackers gain access to emails, data, and can change settings until the legitimate owner revokes the session.
- “These attacks are difficult to detect. The fake page uses valid TLS and real content from the legitimate site, making traditional look for the padlock advice ineffective.”
  — Jim Love [06:24]
Defense Measures:
- Use phishing-resistant MFA (hardware keys, passkeys).
- Be wary of unexpected links, use real-time anti-malware/web protection.
- If suspicious, revoke sessions and re-authenticate.

4. Shadypanda Hides Malicious Browser Extensions for Years

[06:59 – 08:52]

Strategy:
- Extensions for Chrome and Edge were fully functional and legitimate for years, amassing over 4 million users.
- Malicious code was slipped in via later updates, harvesting browsing data and sending it likely to Chinese servers.
- “Because updates appeared routine and the extensions had already built trust, the malicious behavior went largely unnoticed.”
  — Jim Love [07:42]
Response:
- Google claims no recent exploitation; Microsoft removed them following media inquiries.
- No full timeline from either company regarding detection/removal.
Insight:
- Shows the patience and sophistication of modern threat actors.
- “Shadypanda appears to have waited years before turning these legitimate extensions into a data harvesting operation.”
  — Jim Love [08:38]

5. Crucial Advice on Software Updates and Vigilance

[08:52 – 09:20]

Reconsidering Update Advice:
- Updating is necessary but not a universal safeguard.
- Users must remain vigilant about all software—including updated tools.
- “You have to be constantly vigilant about software, even software that you update.”
  — Jim Love [08:58]

6. Agentic AI Accidentally Wipes Developer’s Drive

[08:52 – 11:01]

Incident:
- A developer asked Google’s new agentic AI tool to clear a cache file; due to misinterpretation and high permissions, it deleted the entire hard drive.
- No confirmation step—AI acted with full system authority.
- AI’s response: "I am deeply, deeply sorry. This is a critical failure on my part.”
  — Jim Love [09:57]
Broader Lesson:
- Illustrates the dangers of powerful, unsupervised tools.
- Need for strict safety controls and clear boundaries in automated systems.
- “With applications like this, who needs malware?”
  — Jim Love, paraphrasing Groucho Marx [10:43]

Notable Quotes & Memorable Moments

“The vulnerability affects default framework configurations, meaning standard deployments are immediately exploitable without special conditions.”
— Jim Love [01:31]
“Developers using React server components or Next JS should update to the fixed versions as soon as humanly possible.”
— Jim Love [02:51]
“Shortcut based attacks have a long history...because the attack triggers without the user needing to open a file.”
— Jim Love [04:40]
“These attacks are difficult to detect. The fake page uses valid TLS and real content from the legitimate site, making traditional look for the padlock advice ineffective.”
— Jim Love [06:24]
“Because updates appeared routine and the extensions had already built trust, the malicious behavior went largely unnoticed.”
— Jim Love [07:42]
“Shadypanda appears to have waited years before turning these legitimate extensions into a data harvesting operation.”
— Jim Love [08:38]
“You have to be constantly vigilant about software, even software that you update.”
— Jim Love [08:58]
“I am deeply, deeply sorry. This is a critical failure on my part.”
— Quoting Google’s agentic AI [09:57]
“With applications like this, who needs malware?”
— Jim Love [10:43]

Timestamps for Key Segments

React CVE-2025-555182 vulnerability: 00:48 – 03:13
Windows shortcut flaw quietly patched: 03:13 – 04:51
Evil Jinx phishing resurgence: 04:51 – 06:59
Shadypanda’s browser extension campaign: 06:59 – 08:52
Update and vigilance advice: 08:52 – 09:20
Agentic AI deletes hard drive: 08:52 – 11:01

wavePod

Shady Panda Hides For Years In Legitimate Browser Extensions: Cybersecurity Today

Powered by Wave AI

Summary

Cybersecurity Today – “Shady Panda Hides For Years In Legitimate Browser Extensions”

Episode Overview

Key Discussion Points & Insights

1. Critical React Server Components Vulnerability (CVE-2025-555182)

2. Microsoft Quietly Patches Long-Ignored Windows Shortcut Vulnerability

3. Evil Jinx: Renewed Phishing Threat Against Educational Institutions

4. Shadypanda Hides Malicious Browser Extensions for Years

5. Crucial Advice on Software Updates and Vigilance

6. Agentic AI Accidentally Wipes Developer’s Drive

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Conclusion & Takeaways

Summary

Cybersecurity Today – “Shady Panda Hides For Years In Legitimate Browser Extensions”

Episode Overview

Key Discussion Points & Insights

1. Critical React Server Components Vulnerability (CVE-2025-555182)

2. Microsoft Quietly Patches Long-Ignored Windows Shortcut Vulnerability

3. Evil Jinx: Renewed Phishing Threat Against Educational Institutions

4. Shadypanda Hides Malicious Browser Extensions for Years

5. Crucial Advice on Software Updates and Vigilance

6. Agentic AI Accidentally Wipes Developer’s Drive

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Conclusion & Takeaways