How RAD Helps Teams Answer the Only Question That Matters: Are We Exposed? Operational lessons from React2Shell and Shai Hulud, and how RAD closes the visibility gap.
Jimmy Mesta
CTO
React2Shell and Shai Hulud highlight different attack paths, but both expose the same operational gap. Most security programs do not have a fast, reliable way to answer whether they are affected. They rely on best-effort scans, tribal knowledge, and long manual investigations. By the time an answer comes back, the opportunity to contain the blast radius is gone.
This is where RAD delivers leverage. We built the platform to unify code, infrastructure, and runtime behavior into a single reasoning layer. When an incident like this hits, you can ask a direct question against your own environment and get a meaningful answer.
Why These Attacks Matter
React2Shell exploits a behavior in React Server Components where deserialized server action payloads can lead to unauthenticated RCE. The payload can execute without a user explicitly calling a vulnerable API or triggering server-side code. That makes static detection unreliable. If your system accepts crafted payloads and your framework defaults to permissive behavior, you're exposed.
Shai Hulud moves differently. It propagates through poisoned npm packages using preinstall scripts to steal credentials. Those credentials are then used to publish additional compromised packages. The infection path is recursive, automated, and leverages standard tooling.
Neither attack relies on a single file or misconfiguration. They rely on the gaps between systems. If your detection strategy stops at source code scanning or static config analysis, you will miss the blast radius entirely.
How RAD Connects the Dots
RAD ingests telemetry across multiple layers. It fingerprints runtime behavior, tracks sensitive data movement, and correlates configuration, identity, and workload signals. When a new threat drops, that context is already live.
In the case of React2Shell, RAD can:
- Identify any workload with React Server Components in use
- Detect anomalous deserialization patterns or new entry points in HTTP payloads
- Alert when a server process deviates from its known behavioral fingerprint
For Shai Hulud, RAD gives you visibility into:
