Vendor Really Wants You to Know How Much They Care About the Latest Big Name Vulnerability

PALO ALTO, CA — Within 47 minutes of the React2Shell vulnerability disclosure last week, cloud security vendor SecureStack had already published three blog posts, two whitepapers, a webinar invitation, and a full-page LinkedIn ad expressing deep concern for their customers' wellbeing, sources confirmed Wednesday.

"The moment we saw CVE-2025-55182 trending, we knew this was our moment to shine—again," said Marcus Thornton, VP of Threat Intelligence at SecureStack. "Our customers needed to know that we care deeply about this critical React vulnerability, just like we cared about Shai-Hulud 2.0 three weeks ago. Fortunately, our platform—which coincidentally just launched a unified frontend framework and supply chain scanning feature—is the only thing standing between them and certain doom."

The React2Shell vulnerabilities, affecting React (CVE-2025-55182) and Next.js (CVE-2025-66478), triggered an unprecedented second wave of vendor concern just as security teams were recovering from the Shai-Hulud 2.0 npm worm response. At least 63 security companies published "emergency guidance" within 72 hours, with 58 of them noting that organizations who had purchased their Shai-Hulud protection packages would need to upgrade to the new React2Shell tier for full coverage.

CloudGuard Security went a step further, hosting an emergency webinar titled "From Shai-Hulud to React2Shell: Your Supply Chain's Perfect Storm" that drew explicit connections between the unrelated vulnerabilities. The session, attended by 18,000 increasingly exhausted security professionals, spent 55 minutes explaining how the worm and React vulnerabilities were "part of a coordinated attack pattern" before briefly acknowledging they were completely separate issues discovered by different researchers.

"What we're seeing is a cascade effect," warned Sarah Chen, CISO-in-Residence at venture capital firm Disruption Partners, in a sponsored blog post. "First Shai-Hulud compromised your dependencies, and now React2Shell can exploit your frontend. Organizations need our portfolio company's new $350K/year Full-Stack Threat Prevention Suite—previously two separate products, now bundled for your convenience."

Meanwhile, actual security teams reported burning out from the relentless vendor drumbeat. "We spent two weeks remediating Shai-Hulud exposure, fielding panicked executive questions from the last round of vendor emails," said one frustrated security engineer at a Fortune 500 company who spoke on condition of anonymity. "Now my CEO is forwarding me emails with subject lines like 'REACT2SHELL + SHAI-HULUD = GAME OVER' from vendors trying to connect dots that don't exist. I just want to patch our servers."

At press time, SecureStack announced that customers concerned about future vulnerabilities could now purchase a $500K "Perpetual Emergency Response Retainer" with guaranteed same-day blog post publication for all future CVEs.