Overview
- In the second half of 2025, software exploits were the primary entry point in 44.5% of investigated intrusions, while credential-based access fell to about 27%, according to Google’s H1 2026 report.
- Remote code execution flaws dominated targeting—most notably React2Shell (CVE-2025-55182) and an XWiki RCE (CVE-2025-24893)—with cryptominers observed deploying within 48 hours of public disclosure.
- Attack chains increasingly leverage supply-chain and trust-abuse paths, exemplified by the QuietVault npm package stealing a GitHub token and abusing GitHub-to-AWS OIDC to create admin access and exfiltrate S3 data in the "s1ngularity" campaign.
- Google details sustained nation-state activity, including Iran- and China-linked access persisting for 18 months or more and North Korean operations that pivoted through Kubernetes and CI/CD systems to steal millions in cryptocurrency.
- Defensive guidance emphasizes automated edge protections such as WAF updates, stronger identity and access controls, centralized visibility, and automated incident response to keep pace with rapid mass exploitation.