Threat actors had another banner year in 2025. As we head into 2026, looking back on the five top security threats of 2025 may inform our strategy and budgeting for 2026 to prepare for the continued onslaught of attacks.
According to Dark Reading, the top five security threats from 2025 include:
- Salt Typhoon
Salt Typhoon, also known as Operator Panda, is a Chinese state-sponsored threat actor best known for targeting telecom giants and the systems used by police for court-authorized wiretapping. The group uses sophisticated techniques to conduct espionage against targets and to pre-position itself for longer-term attacks.
- CISA Layoffs and Budget Cuts
Early in the year, the Trump administration cut all advisory committee members within the Cyber Safety Review Board (CSRB), a group run by public and private sector experts to research and make judgments about cybersecurity issues affecting all industries. At the very time the CSRB was dismantled, it was working on a report about Salt Typhoon. (Recall that Salt Typhoon is listed as the #1 threat from 2025).
In addition to the dismantling of CSRB, the Cybersecurity Infrastructure and Security Agency (CISA) faced layoffs and budget cuts throughout the year, in part due to the Department of Government Efficiency’s slashing of government spending.
CISA has provided a wide range of services for organizations, including vulnerability guidance, physical and cyber security assessments, election security, and incident response support, including for state and municipal governments and smaller organizations. The cuts have hampered entities’ efforts to protect themselves despite threat actors continuing to target them, which will continue into 2026.
- React2Shell / Log4Shell
React2Shell (CVE-2025-55182), is a vulnerability that was disclosed in early December that affects the React Server Components (RSC) open-source protocol. “Caused by unsafe deserialization, vulnerability was considered easily exploitable and highly dangerous, earning it a maximum CVSS score of 10. Even worse, React is fairly ubiquitous, and at the time of disclosure it was thought that a third of cloud providers were vulnerable. The vulnerability was named React2Shell in apparent reference to Log4Shell, a similarly dangerous bug from late 2021 that impacted environments with Log4j.” Nation-state actors were among the first to exploit the vulnerability, but within days, the vulnerability was being exploited by run-of-the-mill threat actors.
- Self-Replicating Malware Shai-Hulud
In September 2025, a self-replicating malware emerged known as Shai-Hulud appeared on the scene. Shai-Hulud is an infostealer that infects open-source software components. “When a user downloads a package infected by the worm, Shai-Hulud infects other packages maintained by the user and publishes poisoned versions, automatically and without much direct attacker input. The cycle continues.” The infostealer “uses defenders’ own automation to …corrupt the open source ‘well’ that thousands of companies draw from daily. This creates a significant danger because the threat isn’t just common vulnerabilities; it’s deeply nested, multilayer dependencies,” according to Unit 42’s Justin Moore. “This creates a massive, multilayered attack surface where a single compromise deep in the stack can cascade across thousands of companies simultaneously.”
- Threat Campaigns Targeting Salesforce Customers
Earlier in 2025, a threat actor compromised Salesloft’s GitHub account to leverage the access to steal OAuth tokens associated with Salesloft Drift’s Salesforce integration. This led to downstream attacks against hundreds of Salesforce customers’ instances. This attack emphasizes threat actors’ continued attack against prominent supply chain companies, where a successful attack provides access to hundreds or thousands of upstream customers.
These significant security events of 2025 are worthy of consideration when determining a cybersecurity strategy, shoring up vendor management, and budgeting for 2026.