How RAD Helps Teams Answer the Only Question That Matters: Are We Exposed? Operational lessons from React2Shell and Shai Hulud, and how RAD closes the visibility gap.

Written By:

Jimmy Mesta

December 10, 2025

React2Shell and Shai Hulud highlight different attack paths, but both expose the same operational gap. Most security programs do not have a fast, reliable way to answer whether they are affected. They rely on best-effort scans, tribal knowledge, and long manual investigations. By the time an answer comes back, the opportunity to contain the blast radius is gone.

This is where RAD delivers leverage. We built the platform to unify code, infrastructure, and runtime behavior into a single reasoning layer. When an incident like this hits, you can ask a direct question against your own environment and get a meaningful answer.

Why These Attacks Matter

React2Shell exploits a behavior in React Server Components where deserialized server action payloads can lead to unauthenticated RCE. The payload can execute without a user explicitly calling a vulnerable API or triggering server-side code. That makes static detection unreliable. If your system accepts crafted payloads and your framework defaults to permissive behavior, you're exposed.

Shai Hulud moves differently. It propagates through poisoned npm packages using preinstall scripts to steal credentials. Those credentials are then used to publish additional compromised packages. The infection path is recursive, automated, and leverages standard tooling.

Neither attack relies on a single file or misconfiguration. They rely on the gaps between systems. If your detection strategy stops at source code scanning or static config analysis, you will miss the blast radius entirely.

How RAD Connects the Dots

RAD ingests telemetry across multiple layers. It fingerprints runtime behavior, tracks sensitive data movement, and correlates configuration, identity, and workload signals. When a new threat drops, that context is already live. 

In the case of React2Shell, RAD can:

• Identify any workload with React Server Components in use
• Detect anomalous deserialization patterns or new entry points in HTTP payloads
• Alert when a server process deviates from its known behavioral fingerprint

For Shai Hulud, RAD gives you visibility into:

• Package-level changes across repos and deployed artifacts
• Credential usage patterns and cross-system drift
• Runtime behavior on CI/CD runners and dev environments

This isn’t about signature matching. It’s about having a behavioral map of your environment that lets you instantly see what changed and whether that change matters.

What a Real Investigation Looks Like in RAD

Security teams using RAD do not wait for full CVE context. As soon as they hear about React2Shell, they can ask RADBot a direct question:

"Which services in my environment are using React Server Components and accepting deserialized payloads?"

RADBot runs that question across connected GitHub repos, container images, runtime logs, and network traffic. You get a list of systems, their exposure state, and whether any of them show signs of abnormal behavior.

For Shai Hulud, a team might start with:

"Show me npm packages installed across our CI/CD runners and flag any using preinstall scripts."

RADBot connects repo metadata with installed workloads and runtime data. You don’t need to manually grep through audit logs or build a scanner. The context already exists.

Detection Without the CVE

RAD does not require a CVE to act. If a new package appears in your environment and starts accessing secrets or making outbound connections during a build, that deviation is visible immediately. If a server process starts accepting new serialized input types or calling eval where it never did before, RAD will flag it.

These deviations are not isolated alerts. They are mapped to their dependencies, triggering identities, and connected services. That’s how you reduce false positives. That’s how you understand real blast radius.

What This Means for Your Team

Most orgs cannot answer the exposure question without assembling data across five tools and three teams. RAD collapses that workflow into one system. You query your environment like it’s a graph. You see every signal in context. You don’t have to guess.

The real value shows up when time matters. RAD is for the hour after the tweet, not the month after the patch.

If you had RAD last week, you’d already know whether you were exposed. If you want to get to that state, we can show you what that looks like in your environment.