home.social

#constructor — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #constructor, aggregated by home.social.

  1. JavaScriptBuzz @[email protected] ·

    Constructor Can Return DIFFERENT Object?!

    Constructors can LIE about what they create! If you return an object, it REPLACES the instance. The 'new' keyword becomes USELESS. instanceof returns false! This breaks OOP principles!

    #javascript #javascripttricks #constructor #classsyntax #instanceof #javascriptweird #javascriptquiz #codingchallenge #javascriptshorts #javascriptwtf #oopquirks #advancedjavascript

    youtube.com/watch?v=NSHaq1zbSWE

    #javascript #javascripttricks #constructor #classsyntax #instanceof #javascriptweird
  2. JavaScriptBuzz @[email protected] ·

    Constructor Can Return DIFFERENT Object?!

    Constructors can LIE about what they create! If you return an object, it REPLACES the instance. The 'new' keyword becomes USELESS. instanceof returns false! This breaks OOP principles!

    #javascript #javascripttricks #constructor #classsyntax #instanceof #javascriptweird #javascriptquiz #codingchallenge #javascriptshorts #javascriptwtf #oopquirks #advancedjavascript

    youtube.com/watch?v=NSHaq1zbSWE

    #javascript #javascripttricks #constructor #classsyntax #instanceof #javascriptweird
  3. JavaScriptBuzz @[email protected] ·

    Constructor Can Return DIFFERENT Object?!

    Constructors can LIE about what they create! If you return an object, it REPLACES the instance. The 'new' keyword becomes USELESS. instanceof returns false! This breaks OOP principles!

    #javascript #javascripttricks #constructor #classsyntax #instanceof #javascriptweird #javascriptquiz #codingchallenge #javascriptshorts #javascriptwtf #oopquirks #advancedjavascript

    youtube.com/watch?v=NSHaq1zbSWE

    #javascript #javascripttricks #constructor #classsyntax #instanceof #javascriptweird
  4. JavaScriptBuzz @[email protected] ·

    Constructor Can Return DIFFERENT Object?!

    Constructors can LIE about what they create! If you return an object, it REPLACES the instance. The 'new' keyword becomes USELESS. instanceof returns false! This breaks OOP principles!

    #javascript #javascripttricks #constructor #classsyntax #instanceof #javascriptweird #javascriptquiz #codingchallenge #javascriptshorts #javascriptwtf #oopquirks #advancedjavascript

    youtube.com/watch?v=NSHaq1zbSWE

    #advancedjavascript #oopquirks #javascriptwtf #javascriptshorts #codingchallenge #javascriptquiz
  5. JavaScriptBuzz @[email protected] ·

    Constructor Can Return DIFFERENT Object?!

    Constructors can LIE about what they create! If you return an object, it REPLACES the instance. The 'new' keyword becomes USELESS. instanceof returns false! This breaks OOP principles!

    #javascript #javascripttricks #constructor #classsyntax #instanceof #javascriptweird #javascriptquiz #codingchallenge #javascriptshorts #javascriptwtf #oopquirks #advancedjavascript

    youtube.com/watch?v=NSHaq1zbSWE

    #javascript #javascripttricks #constructor #classsyntax #instanceof #javascriptweird
  6. Habr @[email protected] ·

    Field vs Constructor Injection в Java: ошибка объектного дизайна или вопрос синтаксиса?

    Знаю, знаю... Прочитав заголовок, хочется голосом волка из мультфильма "Жил был пёс" сказать - "Шо, опять?" . Ведь битва этих подходов давно закончилась и разработчики Spring уже поставили точку. Но недавняя публикация в одном довольно крупном Telegram-канале заставила меня вернуться к этому вопросу. В качестве главных аргументов против field injection там приводились лишь сложность изоляции в тестах и неудобство создания экземпляров для unit-тестов. И хотя с этими пунктами не поспоришь, у многих разработчиков и не только начинающих, остаются вопросы: каковы реальные последствия для самого объекта? Можно ли считать его полноценным сразу после создания new ? И почему все современные рекомендации так настаивают на конструкторах? Поиск ответов показал мне, что аргумент о тестах лишь верхушка айсберга. В глубине, куда я Вас сегодня приглашаю заглянуть, скрываются куда более фундаментальные вопросы принципов объектно-ориентированного дизайна, гарантий Java Memory Model и уважения к жизненному циклу объекта.

    habr.com/ru/articles/983344/

    #field #injection #constructor #setter #Dependency_Injection #Spring_Framework #Java #ObjectOriented_Design #Invariants

    #invariants #objectoriented_design #java #spring_framework #dependency_injection #setter
  7. Habr @[email protected] ·

    Field vs Constructor Injection в Java: ошибка объектного дизайна или вопрос синтаксиса?

    Знаю, знаю... Прочитав заголовок, хочется голосом волка из мультфильма "Жил был пёс" сказать - "Шо, опять?" . Ведь битва этих подходов давно закончилась и разработчики Spring уже поставили точку. Но недавняя публикация в одном довольно крупном Telegram-канале заставила меня вернуться к этому вопросу. В качестве главных аргументов против field injection там приводились лишь сложность изоляции в тестах и неудобство создания экземпляров для unit-тестов. И хотя с этими пунктами не поспоришь, у многих разработчиков и не только начинающих, остаются вопросы: каковы реальные последствия для самого объекта? Можно ли считать его полноценным сразу после создания new ? И почему все современные рекомендации так настаивают на конструкторах? Поиск ответов показал мне, что аргумент о тестах лишь верхушка айсберга. В глубине, куда я Вас сегодня приглашаю заглянуть, скрываются куда более фундаментальные вопросы принципов объектно-ориентированного дизайна, гарантий Java Memory Model и уважения к жизненному циклу объекта.

    habr.com/ru/articles/983344/

    #field #injection #constructor #setter #Dependency_Injection #Spring_Framework #Java #ObjectOriented_Design #Invariants

    #invariants #objectoriented_design #java #spring_framework #dependency_injection #setter
  8. Habr @[email protected] ·

    Field vs Constructor Injection в Java: ошибка объектного дизайна или вопрос синтаксиса?

    Знаю, знаю... Прочитав заголовок, хочется голосом волка из мультфильма "Жил был пёс" сказать - "Шо, опять?" . Ведь битва этих подходов давно закончилась и разработчики Spring уже поставили точку. Но недавняя публикация в одном довольно крупном Telegram-канале заставила меня вернуться к этому вопросу. В качестве главных аргументов против field injection там приводились лишь сложность изоляции в тестах и неудобство создания экземпляров для unit-тестов. И хотя с этими пунктами не поспоришь, у многих разработчиков и не только начинающих, остаются вопросы: каковы реальные последствия для самого объекта? Можно ли считать его полноценным сразу после создания new ? И почему все современные рекомендации так настаивают на конструкторах? Поиск ответов показал мне, что аргумент о тестах лишь верхушка айсберга. В глубине, куда я Вас сегодня приглашаю заглянуть, скрываются куда более фундаментальные вопросы принципов объектно-ориентированного дизайна, гарантий Java Memory Model и уважения к жизненному циклу объекта.

    habr.com/ru/articles/983344/

    #field #injection #constructor #setter #Dependency_Injection #Spring_Framework #Java #ObjectOriented_Design #Invariants

    #invariants #objectoriented_design #java #spring_framework #dependency_injection #setter
  9. Habr @[email protected] ·

    Field vs Constructor Injection в Java: ошибка объектного дизайна или вопрос синтаксиса?

    Знаю, знаю... Прочитав заголовок, хочется голосом волка из мультфильма "Жил был пёс" сказать - "Шо, опять?" . Ведь битва этих подходов давно закончилась и разработчики Spring уже поставили точку. Но недавняя публикация в одном довольно крупном Telegram-канале заставила меня вернуться к этому вопросу. В качестве главных аргументов против field injection там приводились лишь сложность изоляции в тестах и неудобство создания экземпляров для unit-тестов. И хотя с этими пунктами не поспоришь, у многих разработчиков и не только начинающих, остаются вопросы: каковы реальные последствия для самого объекта? Можно ли считать его полноценным сразу после создания new ? И почему все современные рекомендации так настаивают на конструкторах? Поиск ответов показал мне, что аргумент о тестах лишь верхушка айсберга. В глубине, куда я Вас сегодня приглашаю заглянуть, скрываются куда более фундаментальные вопросы принципов объектно-ориентированного дизайна, гарантий Java Memory Model и уважения к жизненному циклу объекта.

    habr.com/ru/articles/983344/

    #field #injection #constructor #setter #Dependency_Injection #Spring_Framework #Java #ObjectOriented_Design #Invariants

    #field #injection #constructor #setter #dependency_injection #spring_framework
  10. Habr @[email protected] ·

    Field vs Constructor Injection в Java: ошибка объектного дизайна или вопрос синтаксиса?

    Знаю, знаю... Прочитав заголовок, хочется голосом волка из мультфильма "Жил был пёс" сказать - "Шо, опять?" . Ведь битва этих подходов давно закончилась и разработчики Spring уже поставили точку. Но недавняя публикация в одном довольно крупном Telegram-канале заставила меня вернуться к этому вопросу. В качестве главных аргументов против field injection там приводились лишь сложность изоляции в тестах и неудобство создания экземпляров для unit-тестов. И хотя с этими пунктами не поспоришь, у многих разработчиков и не только начинающих, остаются вопросы: каковы реальные последствия для самого объекта? Можно ли считать его полноценным сразу после создания new ? И почему все современные рекомендации так настаивают на конструкторах? Поиск ответов показал мне, что аргумент о тестах лишь верхушка айсберга. В глубине, куда я Вас сегодня приглашаю заглянуть, скрываются куда более фундаментальные вопросы принципов объектно-ориентированного дизайна, гарантий Java Memory Model и уважения к жизненному циклу объекта.

    habr.com/ru/articles/983340/

    #field #injection #constructor #setter #Dependency_Injection #Spring_Framework #Java #ObjectOriented_Design #Invariants

    #invariants #objectoriented_design #java #spring_framework #dependency_injection #setter
  11. Habr @[email protected] ·

    Field vs Constructor Injection в Java: ошибка объектного дизайна или вопрос синтаксиса?

    Знаю, знаю... Прочитав заголовок, хочется голосом волка из мультфильма "Жил был пёс" сказать - "Шо, опять?" . Ведь битва этих подходов давно закончилась и разработчики Spring уже поставили точку. Но недавняя публикация в одном довольно крупном Telegram-канале заставила меня вернуться к этому вопросу. В качестве главных аргументов против field injection там приводились лишь сложность изоляции в тестах и неудобство создания экземпляров для unit-тестов. И хотя с этими пунктами не поспоришь, у многих разработчиков и не только начинающих, остаются вопросы: каковы реальные последствия для самого объекта? Можно ли считать его полноценным сразу после создания new ? И почему все современные рекомендации так настаивают на конструкторах? Поиск ответов показал мне, что аргумент о тестах лишь верхушка айсберга. В глубине, куда я Вас сегодня приглашаю заглянуть, скрываются куда более фундаментальные вопросы принципов объектно-ориентированного дизайна, гарантий Java Memory Model и уважения к жизненному циклу объекта.

    habr.com/ru/articles/983340/

    #field #injection #constructor #setter #Dependency_Injection #Spring_Framework #Java #ObjectOriented_Design #Invariants

    #invariants #objectoriented_design #java #spring_framework #dependency_injection #setter
  12. Habr @[email protected] ·

    Field vs Constructor Injection в Java: ошибка объектного дизайна или вопрос синтаксиса?

    Знаю, знаю... Прочитав заголовок, хочется голосом волка из мультфильма "Жил был пёс" сказать - "Шо, опять?" . Ведь битва этих подходов давно закончилась и разработчики Spring уже поставили точку. Но недавняя публикация в одном довольно крупном Telegram-канале заставила меня вернуться к этому вопросу. В качестве главных аргументов против field injection там приводились лишь сложность изоляции в тестах и неудобство создания экземпляров для unit-тестов. И хотя с этими пунктами не поспоришь, у многих разработчиков и не только начинающих, остаются вопросы: каковы реальные последствия для самого объекта? Можно ли считать его полноценным сразу после создания new ? И почему все современные рекомендации так настаивают на конструкторах? Поиск ответов показал мне, что аргумент о тестах лишь верхушка айсберга. В глубине, куда я Вас сегодня приглашаю заглянуть, скрываются куда более фундаментальные вопросы принципов объектно-ориентированного дизайна, гарантий Java Memory Model и уважения к жизненному циклу объекта.

    habr.com/ru/articles/983340/

    #field #injection #constructor #setter #Dependency_Injection #Spring_Framework #Java #ObjectOriented_Design #Invariants

    #invariants #objectoriented_design #java #spring_framework #dependency_injection #setter
  13. Habr @[email protected] ·

    Field vs Constructor Injection в Java: ошибка объектного дизайна или вопрос синтаксиса?

    Знаю, знаю... Прочитав заголовок, хочется голосом волка из мультфильма "Жил был пёс" сказать - "Шо, опять?" . Ведь битва этих подходов давно закончилась и разработчики Spring уже поставили точку. Но недавняя публикация в одном довольно крупном Telegram-канале заставила меня вернуться к этому вопросу. В качестве главных аргументов против field injection там приводились лишь сложность изоляции в тестах и неудобство создания экземпляров для unit-тестов. И хотя с этими пунктами не поспоришь, у многих разработчиков и не только начинающих, остаются вопросы: каковы реальные последствия для самого объекта? Можно ли считать его полноценным сразу после создания new ? И почему все современные рекомендации так настаивают на конструкторах? Поиск ответов показал мне, что аргумент о тестах лишь верхушка айсберга. В глубине, куда я Вас сегодня приглашаю заглянуть, скрываются куда более фундаментальные вопросы принципов объектно-ориентированного дизайна, гарантий Java Memory Model и уважения к жизненному циклу объекта.

    habr.com/ru/articles/983340/

    #field #injection #constructor #setter #Dependency_Injection #Spring_Framework #Java #ObjectOriented_Design #Invariants

    #field #injection #constructor #setter #dependency_injection #spring_framework
  14. Cybersecurity & cyberwarfare @[email protected] ·

    It didn’t take long: CVE-2025-55182 is now under active exploitation

    On December 4, 2025, researchers published details on the critical vulnerability CVE-2025-55182, which received a CVSS score of 10.0. It has been unofficially dubbed React4Shell, as it affects React Server Components (RSC) functionality used in web applications built with the React library. RSC speeds up UI rendering by distributing tasks between the client and the server. The flaw is categorized as CWE-502 (Deserialization of Untrusted Data). It allows an attacker to execute commands, as well as read and write files in directories accessible to the web application, with the server process privileges.

    Almost immediately after the exploit was published, our honeypots began registering attempts to leverage CVE-2025-55182. This post analyzes the attack patterns, the malware that threat actors are attempting to deliver to vulnerable devices, and shares recommendations for risk mitigation.

    A brief technical analysis of the vulnerability


    React applications are built on a component-based model. This means each part of the application or framework should operate independently and offer other components clear, simple methods for interaction. While this approach allows for flexible development and feature addition, it can require users to download large amounts of data, leading to inconsistent performance across devices. This is the challenge React Server Components were designed to address.

    The vulnerability was found within the Server Actions component of RSC. To reach the vulnerable function, the attacker just needs to send a POST request to the server containing a serialized data payload for execution. Part of the functionality of the handler that allows for unsafe deserialization is illustrated below:


    A comparison of the vulnerable (left) and patched (right) functions

    CVE-2025-55182 on Kaspersky honeypots


    As the vulnerability is rather simple to exploit, the attackers quickly added it to their arsenal. The initial exploitation attempts were registered by Kaspersky honeypots on December 5. By Monday, December 8, the number of attempts had increased significantly and continues to rise.

    The number of CVE-2025-55182 attacks targeting Kaspersky honeypots, by day (download)

    Attackers first probe their target to ensure it is not a honeypot: they run whoami, perform multiplication in bash, or compute MD5 or Base64 hashes of random strings to verify their code can execute on the targeted machine.

    In most cases, they then attempt to download malicious files using command-line web clients like wget or curl. Additionally, some attackers deliver a PowerShell-based Windows payload that installs XMRig, a popular Monero crypto miner.

    CVE-2025-55182 was quickly weaponized by numerous malware campaigns, ranging from classic Mirai/Gafgyt variants to crypto miners and the RondoDox botnet. Upon infecting a system, RondoDox wastes no time, its loader script immediately moving to eliminate competitors:

    Beyond checking hardcoded paths, RondoDox also neutralizes AppArmor and SELinux security modules and employs more sophisticated methods to find and terminate processes with ELF files removed for disguise.

    Only after completing these steps does the script download and execute the main payload by sequentially trying three different loaders: wget, curl, and wget from BusyBox. It also iterates through 18 different malware builds for various CPU architectures, enabling it to infect both IoT devices and standard x86_64 Linux servers.

    In some attacks, instead of deploying malware, the adversary attempted to steal credentials for Git and cloud environments. A successful breach could lead to cloud infrastructure compromise, software supply chain attacks, and other severe consequences.


    Risk mitigation measures


    We strongly recommend updating the relevant packages by applying patches released by the developers of the corresponding modules and bundles.
    Vulnerable versions of React Server Components:

    • react-server-dom-webpack (19.0.0, 19.1.0, 19.1.1, 19.2.0)
    • react-server-dom-parcel (19.0.0, 19.1.0, 19.1.1, 19.2.0)
    • react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, 19.2.0)

    Bundles and modules confirmed as using React Server Components:

    • next
    • react-router
    • waku
    • @parcel/rsc
    • @vitejs/plugin-rsc
    • rwsdk

    To prevent exploitation while patches are being deployed, consider blocking all POST requests containing the following keywords in parameters or the request body:

    • #constructor
    • # proto
    • #prototype
    • vm#runInThisContext
    • vm#runInNewContext
    • child_process#execSync
    • child_process#execFileSync
    • child_process#spawnSync
    • module#_load
    • module#createRequire
    • fs#readFileSync
    • fs#writeFileSync
    • s#appendFileSync


    Conclusion


    Due to the ease of exploitation and the public availability of a working PoC, threat actors have rapidly adopted CVE-2025-55182. It is highly likely that attacks will continue to grow in the near term.

    We recommend immediately updating React to the latest patched version, scanning vulnerable hosts for signs of malware, and changing any credentials stored on them.

    Indicators of compromise


    Malware URLs
    hxxp://172.237.55.180/b
    hxxp://172.237.55.180/c
    hxxp://176.117.107.154/bot
    hxxp://193.34.213.150/nuts/bolts
    hxxp://193.34.213.150/nuts/x86
    hxxp://23.132.164.54/bot
    hxxp://31.56.27.76/n2/x86
    hxxp://31.56.27.97/scripts/4thepool_miner[.]sh
    hxxp://41.231.37.153/rondo[.]aqu[.]sh
    hxxp://41.231.37.153/rondo[.]arc700
    hxxp://41.231.37.153/rondo[.]armeb
    hxxp://41.231.37.153/rondo[.]armebhf
    hxxp://41.231.37.153/rondo[.]armv4l
    hxxp://41.231.37.153/rondo[.]armv5l
    hxxp://41.231.37.153/rondo[.]armv6l
    hxxp://41.231.37.153/rondo[.]armv7l
    hxxp://41.231.37.153/rondo[.]i486
    hxxp://41.231.37.153/rondo[.]i586
    hxxp://41.231.37.153/rondo[.]i686
    hxxp://41.231.37.153/rondo[.]m68k
    hxxp://41.231.37.153/rondo[.]mips
    hxxp://41.231.37.153/rondo[.]mipsel
    hxxp://41.231.37.153/rondo[.]powerpc
    hxxp://41.231.37.153/rondo[.]powerpc-440fp
    hxxp://41.231.37.153/rondo[.]sh4
    hxxp://41.231.37.153/rondo[.]sparc
    hxxp://41.231.37.153/rondo[.]x86_64
    hxxp://51.81.104.115/nuts/bolts
    hxxp://51.81.104.115/nuts/x86
    hxxp://51.91.77.94:13339/termite/51.91.77.94:13337
    hxxp://59.7.217.245:7070/app2
    hxxp://59.7.217.245:7070/c[.]sh
    hxxp://68.142.129.4:8277/download/c[.]sh
    hxxp://89.144.31.18/nuts/bolts
    hxxp://89.144.31.18/nuts/x86
    hxxp://gfxnick.emerald.usbx[.]me/bot
    hxxp://meomeoli.mooo[.]com:8820/CLoadPXP/lix.exe?pass=PXPa9682775lckbitXPRopGIXPIL
    hxxps://api.hellknight[.]xyz/js
    hxxps://gist.githubusercontent[.]com/demonic-agents/39e943f4de855e2aef12f34324cbf150/raw/e767e1cef1c35738689ba4df9c6f7f29a6afba1a/setup_c3pool_miner[.]sh

    MD5 hashes
    0450fe19cfb91660e9874c0ce7a121e0
    3ba4d5e0cf0557f03ee5a97a2de56511
    622f904bb82c8118da2966a957526a2b
    791f123b3aaff1b92873bd4b7a969387
    c6381ebf8f0349b8d47c5e623bbcef6b
    e82057e481a2d07b177d9d94463a7441

    securelist.com/cve-2025-55182-…

    #prototype #proto #constructor
  15. Cybersecurity & cyberwarfare @[email protected] ·

    It didn’t take long: CVE-2025-55182 is now under active exploitation

    On December 4, 2025, researchers published details on the critical vulnerability CVE-2025-55182, which received a CVSS score of 10.0. It has been unofficially dubbed React4Shell, as it affects React Server Components (RSC) functionality used in web applications built with the React library. RSC speeds up UI rendering by distributing tasks between the client and the server. The flaw is categorized as CWE-502 (Deserialization of Untrusted Data). It allows an attacker to execute commands, as well as read and write files in directories accessible to the web application, with the server process privileges.

    Almost immediately after the exploit was published, our honeypots began registering attempts to leverage CVE-2025-55182. This post analyzes the attack patterns, the malware that threat actors are attempting to deliver to vulnerable devices, and shares recommendations for risk mitigation.

    A brief technical analysis of the vulnerability


    React applications are built on a component-based model. This means each part of the application or framework should operate independently and offer other components clear, simple methods for interaction. While this approach allows for flexible development and feature addition, it can require users to download large amounts of data, leading to inconsistent performance across devices. This is the challenge React Server Components were designed to address.

    The vulnerability was found within the Server Actions component of RSC. To reach the vulnerable function, the attacker just needs to send a POST request to the server containing a serialized data payload for execution. Part of the functionality of the handler that allows for unsafe deserialization is illustrated below:


    A comparison of the vulnerable (left) and patched (right) functions

    CVE-2025-55182 on Kaspersky honeypots


    As the vulnerability is rather simple to exploit, the attackers quickly added it to their arsenal. The initial exploitation attempts were registered by Kaspersky honeypots on December 5. By Monday, December 8, the number of attempts had increased significantly and continues to rise.

    The number of CVE-2025-55182 attacks targeting Kaspersky honeypots, by day (download)

    Attackers first probe their target to ensure it is not a honeypot: they run whoami, perform multiplication in bash, or compute MD5 or Base64 hashes of random strings to verify their code can execute on the targeted machine.

    In most cases, they then attempt to download malicious files using command-line web clients like wget or curl. Additionally, some attackers deliver a PowerShell-based Windows payload that installs XMRig, a popular Monero crypto miner.

    CVE-2025-55182 was quickly weaponized by numerous malware campaigns, ranging from classic Mirai/Gafgyt variants to crypto miners and the RondoDox botnet. Upon infecting a system, RondoDox wastes no time, its loader script immediately moving to eliminate competitors:

    Beyond checking hardcoded paths, RondoDox also neutralizes AppArmor and SELinux security modules and employs more sophisticated methods to find and terminate processes with ELF files removed for disguise.

    Only after completing these steps does the script download and execute the main payload by sequentially trying three different loaders: wget, curl, and wget from BusyBox. It also iterates through 18 different malware builds for various CPU architectures, enabling it to infect both IoT devices and standard x86_64 Linux servers.

    In some attacks, instead of deploying malware, the adversary attempted to steal credentials for Git and cloud environments. A successful breach could lead to cloud infrastructure compromise, software supply chain attacks, and other severe consequences.


    Risk mitigation measures


    We strongly recommend updating the relevant packages by applying patches released by the developers of the corresponding modules and bundles.
    Vulnerable versions of React Server Components:

    • react-server-dom-webpack (19.0.0, 19.1.0, 19.1.1, 19.2.0)
    • react-server-dom-parcel (19.0.0, 19.1.0, 19.1.1, 19.2.0)
    • react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, 19.2.0)

    Bundles and modules confirmed as using React Server Components:

    • next
    • react-router
    • waku
    • @parcel/rsc
    • @vitejs/plugin-rsc
    • rwsdk

    To prevent exploitation while patches are being deployed, consider blocking all POST requests containing the following keywords in parameters or the request body:

    • #constructor
    • # proto
    • #prototype
    • vm#runInThisContext
    • vm#runInNewContext
    • child_process#execSync
    • child_process#execFileSync
    • child_process#spawnSync
    • module#_load
    • module#createRequire
    • fs#readFileSync
    • fs#writeFileSync
    • s#appendFileSync


    Conclusion


    Due to the ease of exploitation and the public availability of a working PoC, threat actors have rapidly adopted CVE-2025-55182. It is highly likely that attacks will continue to grow in the near term.

    We recommend immediately updating React to the latest patched version, scanning vulnerable hosts for signs of malware, and changing any credentials stored on them.

    Indicators of compromise


    Malware URLs
    hxxp://172.237.55.180/b
    hxxp://172.237.55.180/c
    hxxp://176.117.107.154/bot
    hxxp://193.34.213.150/nuts/bolts
    hxxp://193.34.213.150/nuts/x86
    hxxp://23.132.164.54/bot
    hxxp://31.56.27.76/n2/x86
    hxxp://31.56.27.97/scripts/4thepool_miner[.]sh
    hxxp://41.231.37.153/rondo[.]aqu[.]sh
    hxxp://41.231.37.153/rondo[.]arc700
    hxxp://41.231.37.153/rondo[.]armeb
    hxxp://41.231.37.153/rondo[.]armebhf
    hxxp://41.231.37.153/rondo[.]armv4l
    hxxp://41.231.37.153/rondo[.]armv5l
    hxxp://41.231.37.153/rondo[.]armv6l
    hxxp://41.231.37.153/rondo[.]armv7l
    hxxp://41.231.37.153/rondo[.]i486
    hxxp://41.231.37.153/rondo[.]i586
    hxxp://41.231.37.153/rondo[.]i686
    hxxp://41.231.37.153/rondo[.]m68k
    hxxp://41.231.37.153/rondo[.]mips
    hxxp://41.231.37.153/rondo[.]mipsel
    hxxp://41.231.37.153/rondo[.]powerpc
    hxxp://41.231.37.153/rondo[.]powerpc-440fp
    hxxp://41.231.37.153/rondo[.]sh4
    hxxp://41.231.37.153/rondo[.]sparc
    hxxp://41.231.37.153/rondo[.]x86_64
    hxxp://51.81.104.115/nuts/bolts
    hxxp://51.81.104.115/nuts/x86
    hxxp://51.91.77.94:13339/termite/51.91.77.94:13337
    hxxp://59.7.217.245:7070/app2
    hxxp://59.7.217.245:7070/c[.]sh
    hxxp://68.142.129.4:8277/download/c[.]sh
    hxxp://89.144.31.18/nuts/bolts
    hxxp://89.144.31.18/nuts/x86
    hxxp://gfxnick.emerald.usbx[.]me/bot
    hxxp://meomeoli.mooo[.]com:8820/CLoadPXP/lix.exe?pass=PXPa9682775lckbitXPRopGIXPIL
    hxxps://api.hellknight[.]xyz/js
    hxxps://gist.githubusercontent[.]com/demonic-agents/39e943f4de855e2aef12f34324cbf150/raw/e767e1cef1c35738689ba4df9c6f7f29a6afba1a/setup_c3pool_miner[.]sh

    MD5 hashes
    0450fe19cfb91660e9874c0ce7a121e0
    3ba4d5e0cf0557f03ee5a97a2de56511
    622f904bb82c8118da2966a957526a2b
    791f123b3aaff1b92873bd4b7a969387
    c6381ebf8f0349b8d47c5e623bbcef6b
    e82057e481a2d07b177d9d94463a7441

    securelist.com/cve-2025-55182-…

    #prototype #proto #constructor
  16. Cybersecurity & cyberwarfare @[email protected] ·

    It didn’t take long: CVE-2025-55182 is now under active exploitation

    On December 4, 2025, researchers published details on the critical vulnerability CVE-2025-55182, which received a CVSS score of 10.0. It has been unofficially dubbed React4Shell, as it affects React Server Components (RSC) functionality used in web applications built with the React library. RSC speeds up UI rendering by distributing tasks between the client and the server. The flaw is categorized as CWE-502 (Deserialization of Untrusted Data). It allows an attacker to execute commands, as well as read and write files in directories accessible to the web application, with the server process privileges.

    Almost immediately after the exploit was published, our honeypots began registering attempts to leverage CVE-2025-55182. This post analyzes the attack patterns, the malware that threat actors are attempting to deliver to vulnerable devices, and shares recommendations for risk mitigation.

    A brief technical analysis of the vulnerability


    React applications are built on a component-based model. This means each part of the application or framework should operate independently and offer other components clear, simple methods for interaction. While this approach allows for flexible development and feature addition, it can require users to download large amounts of data, leading to inconsistent performance across devices. This is the challenge React Server Components were designed to address.

    The vulnerability was found within the Server Actions component of RSC. To reach the vulnerable function, the attacker just needs to send a POST request to the server containing a serialized data payload for execution. Part of the functionality of the handler that allows for unsafe deserialization is illustrated below:


    A comparison of the vulnerable (left) and patched (right) functions

    CVE-2025-55182 on Kaspersky honeypots


    As the vulnerability is rather simple to exploit, the attackers quickly added it to their arsenal. The initial exploitation attempts were registered by Kaspersky honeypots on December 5. By Monday, December 8, the number of attempts had increased significantly and continues to rise.

    The number of CVE-2025-55182 attacks targeting Kaspersky honeypots, by day (download)

    Attackers first probe their target to ensure it is not a honeypot: they run whoami, perform multiplication in bash, or compute MD5 or Base64 hashes of random strings to verify their code can execute on the targeted machine.

    In most cases, they then attempt to download malicious files using command-line web clients like wget or curl. Additionally, some attackers deliver a PowerShell-based Windows payload that installs XMRig, a popular Monero crypto miner.

    CVE-2025-55182 was quickly weaponized by numerous malware campaigns, ranging from classic Mirai/Gafgyt variants to crypto miners and the RondoDox botnet. Upon infecting a system, RondoDox wastes no time, its loader script immediately moving to eliminate competitors:

    Beyond checking hardcoded paths, RondoDox also neutralizes AppArmor and SELinux security modules and employs more sophisticated methods to find and terminate processes with ELF files removed for disguise.

    Only after completing these steps does the script download and execute the main payload by sequentially trying three different loaders: wget, curl, and wget from BusyBox. It also iterates through 18 different malware builds for various CPU architectures, enabling it to infect both IoT devices and standard x86_64 Linux servers.

    In some attacks, instead of deploying malware, the adversary attempted to steal credentials for Git and cloud environments. A successful breach could lead to cloud infrastructure compromise, software supply chain attacks, and other severe consequences.


    Risk mitigation measures


    We strongly recommend updating the relevant packages by applying patches released by the developers of the corresponding modules and bundles.
    Vulnerable versions of React Server Components:

    • react-server-dom-webpack (19.0.0, 19.1.0, 19.1.1, 19.2.0)
    • react-server-dom-parcel (19.0.0, 19.1.0, 19.1.1, 19.2.0)
    • react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, 19.2.0)

    Bundles and modules confirmed as using React Server Components:

    • next
    • react-router
    • waku
    • @parcel/rsc
    • @vitejs/plugin-rsc
    • rwsdk

    To prevent exploitation while patches are being deployed, consider blocking all POST requests containing the following keywords in parameters or the request body:

    • #constructor
    • # proto
    • #prototype
    • vm#runInThisContext
    • vm#runInNewContext
    • child_process#execSync
    • child_process#execFileSync
    • child_process#spawnSync
    • module#_load
    • module#createRequire
    • fs#readFileSync
    • fs#writeFileSync
    • s#appendFileSync


    Conclusion


    Due to the ease of exploitation and the public availability of a working PoC, threat actors have rapidly adopted CVE-2025-55182. It is highly likely that attacks will continue to grow in the near term.

    We recommend immediately updating React to the latest patched version, scanning vulnerable hosts for signs of malware, and changing any credentials stored on them.

    Indicators of compromise


    Malware URLs
    hxxp://172.237.55.180/b
    hxxp://172.237.55.180/c
    hxxp://176.117.107.154/bot
    hxxp://193.34.213.150/nuts/bolts
    hxxp://193.34.213.150/nuts/x86
    hxxp://23.132.164.54/bot
    hxxp://31.56.27.76/n2/x86
    hxxp://31.56.27.97/scripts/4thepool_miner[.]sh
    hxxp://41.231.37.153/rondo[.]aqu[.]sh
    hxxp://41.231.37.153/rondo[.]arc700
    hxxp://41.231.37.153/rondo[.]armeb
    hxxp://41.231.37.153/rondo[.]armebhf
    hxxp://41.231.37.153/rondo[.]armv4l
    hxxp://41.231.37.153/rondo[.]armv5l
    hxxp://41.231.37.153/rondo[.]armv6l
    hxxp://41.231.37.153/rondo[.]armv7l
    hxxp://41.231.37.153/rondo[.]i486
    hxxp://41.231.37.153/rondo[.]i586
    hxxp://41.231.37.153/rondo[.]i686
    hxxp://41.231.37.153/rondo[.]m68k
    hxxp://41.231.37.153/rondo[.]mips
    hxxp://41.231.37.153/rondo[.]mipsel
    hxxp://41.231.37.153/rondo[.]powerpc
    hxxp://41.231.37.153/rondo[.]powerpc-440fp
    hxxp://41.231.37.153/rondo[.]sh4
    hxxp://41.231.37.153/rondo[.]sparc
    hxxp://41.231.37.153/rondo[.]x86_64
    hxxp://51.81.104.115/nuts/bolts
    hxxp://51.81.104.115/nuts/x86
    hxxp://51.91.77.94:13339/termite/51.91.77.94:13337
    hxxp://59.7.217.245:7070/app2
    hxxp://59.7.217.245:7070/c[.]sh
    hxxp://68.142.129.4:8277/download/c[.]sh
    hxxp://89.144.31.18/nuts/bolts
    hxxp://89.144.31.18/nuts/x86
    hxxp://gfxnick.emerald.usbx[.]me/bot
    hxxp://meomeoli.mooo[.]com:8820/CLoadPXP/lix.exe?pass=PXPa9682775lckbitXPRopGIXPIL
    hxxps://api.hellknight[.]xyz/js
    hxxps://gist.githubusercontent[.]com/demonic-agents/39e943f4de855e2aef12f34324cbf150/raw/e767e1cef1c35738689ba4df9c6f7f29a6afba1a/setup_c3pool_miner[.]sh

    MD5 hashes
    0450fe19cfb91660e9874c0ce7a121e0
    3ba4d5e0cf0557f03ee5a97a2de56511
    622f904bb82c8118da2966a957526a2b
    791f123b3aaff1b92873bd4b7a969387
    c6381ebf8f0349b8d47c5e623bbcef6b
    e82057e481a2d07b177d9d94463a7441

    securelist.com/cve-2025-55182-…

    #prototype #proto #constructor
  17. Cybersecurity & cyberwarfare @[email protected] ·

    It didn’t take long: CVE-2025-55182 is now under active exploitation

    On December 4, 2025, researchers published details on the critical vulnerability CVE-2025-55182, which received a CVSS score of 10.0. It has been unofficially dubbed React4Shell, as it affects React Server Components (RSC) functionality used in web applications built with the React library. RSC speeds up UI rendering by distributing tasks between the client and the server. The flaw is categorized as CWE-502 (Deserialization of Untrusted Data). It allows an attacker to execute commands, as well as read and write files in directories accessible to the web application, with the server process privileges.

    Almost immediately after the exploit was published, our honeypots began registering attempts to leverage CVE-2025-55182. This post analyzes the attack patterns, the malware that threat actors are attempting to deliver to vulnerable devices, and shares recommendations for risk mitigation.

    A brief technical analysis of the vulnerability


    React applications are built on a component-based model. This means each part of the application or framework should operate independently and offer other components clear, simple methods for interaction. While this approach allows for flexible development and feature addition, it can require users to download large amounts of data, leading to inconsistent performance across devices. This is the challenge React Server Components were designed to address.

    The vulnerability was found within the Server Actions component of RSC. To reach the vulnerable function, the attacker just needs to send a POST request to the server containing a serialized data payload for execution. Part of the functionality of the handler that allows for unsafe deserialization is illustrated below:


    A comparison of the vulnerable (left) and patched (right) functions

    CVE-2025-55182 on Kaspersky honeypots


    As the vulnerability is rather simple to exploit, the attackers quickly added it to their arsenal. The initial exploitation attempts were registered by Kaspersky honeypots on December 5. By Monday, December 8, the number of attempts had increased significantly and continues to rise.

    The number of CVE-2025-55182 attacks targeting Kaspersky honeypots, by day (download)

    Attackers first probe their target to ensure it is not a honeypot: they run whoami, perform multiplication in bash, or compute MD5 or Base64 hashes of random strings to verify their code can execute on the targeted machine.

    In most cases, they then attempt to download malicious files using command-line web clients like wget or curl. Additionally, some attackers deliver a PowerShell-based Windows payload that installs XMRig, a popular Monero crypto miner.

    CVE-2025-55182 was quickly weaponized by numerous malware campaigns, ranging from classic Mirai/Gafgyt variants to crypto miners and the RondoDox botnet. Upon infecting a system, RondoDox wastes no time, its loader script immediately moving to eliminate competitors:

    Beyond checking hardcoded paths, RondoDox also neutralizes AppArmor and SELinux security modules and employs more sophisticated methods to find and terminate processes with ELF files removed for disguise.

    Only after completing these steps does the script download and execute the main payload by sequentially trying three different loaders: wget, curl, and wget from BusyBox. It also iterates through 18 different malware builds for various CPU architectures, enabling it to infect both IoT devices and standard x86_64 Linux servers.

    In some attacks, instead of deploying malware, the adversary attempted to steal credentials for Git and cloud environments. A successful breach could lead to cloud infrastructure compromise, software supply chain attacks, and other severe consequences.


    Risk mitigation measures


    We strongly recommend updating the relevant packages by applying patches released by the developers of the corresponding modules and bundles.
    Vulnerable versions of React Server Components:

    • react-server-dom-webpack (19.0.0, 19.1.0, 19.1.1, 19.2.0)
    • react-server-dom-parcel (19.0.0, 19.1.0, 19.1.1, 19.2.0)
    • react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, 19.2.0)

    Bundles and modules confirmed as using React Server Components:

    • next
    • react-router
    • waku
    • @parcel/rsc
    • @vitejs/plugin-rsc
    • rwsdk

    To prevent exploitation while patches are being deployed, consider blocking all POST requests containing the following keywords in parameters or the request body:

    • #constructor
    • # proto
    • #prototype
    • vm#runInThisContext
    • vm#runInNewContext
    • child_process#execSync
    • child_process#execFileSync
    • child_process#spawnSync
    • module#_load
    • module#createRequire
    • fs#readFileSync
    • fs#writeFileSync
    • s#appendFileSync


    Conclusion


    Due to the ease of exploitation and the public availability of a working PoC, threat actors have rapidly adopted CVE-2025-55182. It is highly likely that attacks will continue to grow in the near term.

    We recommend immediately updating React to the latest patched version, scanning vulnerable hosts for signs of malware, and changing any credentials stored on them.

    Indicators of compromise


    Malware URLs
    hxxp://172.237.55.180/b
    hxxp://172.237.55.180/c
    hxxp://176.117.107.154/bot
    hxxp://193.34.213.150/nuts/bolts
    hxxp://193.34.213.150/nuts/x86
    hxxp://23.132.164.54/bot
    hxxp://31.56.27.76/n2/x86
    hxxp://31.56.27.97/scripts/4thepool_miner[.]sh
    hxxp://41.231.37.153/rondo[.]aqu[.]sh
    hxxp://41.231.37.153/rondo[.]arc700
    hxxp://41.231.37.153/rondo[.]armeb
    hxxp://41.231.37.153/rondo[.]armebhf
    hxxp://41.231.37.153/rondo[.]armv4l
    hxxp://41.231.37.153/rondo[.]armv5l
    hxxp://41.231.37.153/rondo[.]armv6l
    hxxp://41.231.37.153/rondo[.]armv7l
    hxxp://41.231.37.153/rondo[.]i486
    hxxp://41.231.37.153/rondo[.]i586
    hxxp://41.231.37.153/rondo[.]i686
    hxxp://41.231.37.153/rondo[.]m68k
    hxxp://41.231.37.153/rondo[.]mips
    hxxp://41.231.37.153/rondo[.]mipsel
    hxxp://41.231.37.153/rondo[.]powerpc
    hxxp://41.231.37.153/rondo[.]powerpc-440fp
    hxxp://41.231.37.153/rondo[.]sh4
    hxxp://41.231.37.153/rondo[.]sparc
    hxxp://41.231.37.153/rondo[.]x86_64
    hxxp://51.81.104.115/nuts/bolts
    hxxp://51.81.104.115/nuts/x86
    hxxp://51.91.77.94:13339/termite/51.91.77.94:13337
    hxxp://59.7.217.245:7070/app2
    hxxp://59.7.217.245:7070/c[.]sh
    hxxp://68.142.129.4:8277/download/c[.]sh
    hxxp://89.144.31.18/nuts/bolts
    hxxp://89.144.31.18/nuts/x86
    hxxp://gfxnick.emerald.usbx[.]me/bot
    hxxp://meomeoli.mooo[.]com:8820/CLoadPXP/lix.exe?pass=PXPa9682775lckbitXPRopGIXPIL
    hxxps://api.hellknight[.]xyz/js
    hxxps://gist.githubusercontent[.]com/demonic-agents/39e943f4de855e2aef12f34324cbf150/raw/e767e1cef1c35738689ba4df9c6f7f29a6afba1a/setup_c3pool_miner[.]sh

    MD5 hashes
    0450fe19cfb91660e9874c0ce7a121e0
    3ba4d5e0cf0557f03ee5a97a2de56511
    622f904bb82c8118da2966a957526a2b
    791f123b3aaff1b92873bd4b7a969387
    c6381ebf8f0349b8d47c5e623bbcef6b
    e82057e481a2d07b177d9d94463a7441

    securelist.com/cve-2025-55182-…

    #constructor #proto #prototype
  18. Cybersecurity & cyberwarfare @[email protected] ·

    It didn’t take long: CVE-2025-55182 is now under active exploitation

    On December 4, 2025, researchers published details on the critical vulnerability CVE-2025-55182, which received a CVSS score of 10.0. It has been unofficially dubbed React4Shell, as it affects React Server Components (RSC) functionality used in web applications built with the React library. RSC speeds up UI rendering by distributing tasks between the client and the server. The flaw is categorized as CWE-502 (Deserialization of Untrusted Data). It allows an attacker to execute commands, as well as read and write files in directories accessible to the web application, with the server process privileges.

    Almost immediately after the exploit was published, our honeypots began registering attempts to leverage CVE-2025-55182. This post analyzes the attack patterns, the malware that threat actors are attempting to deliver to vulnerable devices, and shares recommendations for risk mitigation.

    A brief technical analysis of the vulnerability


    React applications are built on a component-based model. This means each part of the application or framework should operate independently and offer other components clear, simple methods for interaction. While this approach allows for flexible development and feature addition, it can require users to download large amounts of data, leading to inconsistent performance across devices. This is the challenge React Server Components were designed to address.

    The vulnerability was found within the Server Actions component of RSC. To reach the vulnerable function, the attacker just needs to send a POST request to the server containing a serialized data payload for execution. Part of the functionality of the handler that allows for unsafe deserialization is illustrated below:


    A comparison of the vulnerable (left) and patched (right) functions

    CVE-2025-55182 on Kaspersky honeypots


    As the vulnerability is rather simple to exploit, the attackers quickly added it to their arsenal. The initial exploitation attempts were registered by Kaspersky honeypots on December 5. By Monday, December 8, the number of attempts had increased significantly and continues to rise.

    The number of CVE-2025-55182 attacks targeting Kaspersky honeypots, by day (download)

    Attackers first probe their target to ensure it is not a honeypot: they run whoami, perform multiplication in bash, or compute MD5 or Base64 hashes of random strings to verify their code can execute on the targeted machine.

    In most cases, they then attempt to download malicious files using command-line web clients like wget or curl. Additionally, some attackers deliver a PowerShell-based Windows payload that installs XMRig, a popular Monero crypto miner.

    CVE-2025-55182 was quickly weaponized by numerous malware campaigns, ranging from classic Mirai/Gafgyt variants to crypto miners and the RondoDox botnet. Upon infecting a system, RondoDox wastes no time, its loader script immediately moving to eliminate competitors:

    Beyond checking hardcoded paths, RondoDox also neutralizes AppArmor and SELinux security modules and employs more sophisticated methods to find and terminate processes with ELF files removed for disguise.

    Only after completing these steps does the script download and execute the main payload by sequentially trying three different loaders: wget, curl, and wget from BusyBox. It also iterates through 18 different malware builds for various CPU architectures, enabling it to infect both IoT devices and standard x86_64 Linux servers.

    In some attacks, instead of deploying malware, the adversary attempted to steal credentials for Git and cloud environments. A successful breach could lead to cloud infrastructure compromise, software supply chain attacks, and other severe consequences.


    Risk mitigation measures


    We strongly recommend updating the relevant packages by applying patches released by the developers of the corresponding modules and bundles.
    Vulnerable versions of React Server Components:

    • react-server-dom-webpack (19.0.0, 19.1.0, 19.1.1, 19.2.0)
    • react-server-dom-parcel (19.0.0, 19.1.0, 19.1.1, 19.2.0)
    • react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, 19.2.0)

    Bundles and modules confirmed as using React Server Components:

    • next
    • react-router
    • waku
    • @parcel/rsc
    • @vitejs/plugin-rsc
    • rwsdk

    To prevent exploitation while patches are being deployed, consider blocking all POST requests containing the following keywords in parameters or the request body:

    • #constructor
    • # proto
    • #prototype
    • vm#runInThisContext
    • vm#runInNewContext
    • child_process#execSync
    • child_process#execFileSync
    • child_process#spawnSync
    • module#_load
    • module#createRequire
    • fs#readFileSync
    • fs#writeFileSync
    • s#appendFileSync


    Conclusion


    Due to the ease of exploitation and the public availability of a working PoC, threat actors have rapidly adopted CVE-2025-55182. It is highly likely that attacks will continue to grow in the near term.

    We recommend immediately updating React to the latest patched version, scanning vulnerable hosts for signs of malware, and changing any credentials stored on them.

    Indicators of compromise


    Malware URLs
    hxxp://172.237.55.180/b
    hxxp://172.237.55.180/c
    hxxp://176.117.107.154/bot
    hxxp://193.34.213.150/nuts/bolts
    hxxp://193.34.213.150/nuts/x86
    hxxp://23.132.164.54/bot
    hxxp://31.56.27.76/n2/x86
    hxxp://31.56.27.97/scripts/4thepool_miner[.]sh
    hxxp://41.231.37.153/rondo[.]aqu[.]sh
    hxxp://41.231.37.153/rondo[.]arc700
    hxxp://41.231.37.153/rondo[.]armeb
    hxxp://41.231.37.153/rondo[.]armebhf
    hxxp://41.231.37.153/rondo[.]armv4l
    hxxp://41.231.37.153/rondo[.]armv5l
    hxxp://41.231.37.153/rondo[.]armv6l
    hxxp://41.231.37.153/rondo[.]armv7l
    hxxp://41.231.37.153/rondo[.]i486
    hxxp://41.231.37.153/rondo[.]i586
    hxxp://41.231.37.153/rondo[.]i686
    hxxp://41.231.37.153/rondo[.]m68k
    hxxp://41.231.37.153/rondo[.]mips
    hxxp://41.231.37.153/rondo[.]mipsel
    hxxp://41.231.37.153/rondo[.]powerpc
    hxxp://41.231.37.153/rondo[.]powerpc-440fp
    hxxp://41.231.37.153/rondo[.]sh4
    hxxp://41.231.37.153/rondo[.]sparc
    hxxp://41.231.37.153/rondo[.]x86_64
    hxxp://51.81.104.115/nuts/bolts
    hxxp://51.81.104.115/nuts/x86
    hxxp://51.91.77.94:13339/termite/51.91.77.94:13337
    hxxp://59.7.217.245:7070/app2
    hxxp://59.7.217.245:7070/c[.]sh
    hxxp://68.142.129.4:8277/download/c[.]sh
    hxxp://89.144.31.18/nuts/bolts
    hxxp://89.144.31.18/nuts/x86
    hxxp://gfxnick.emerald.usbx[.]me/bot
    hxxp://meomeoli.mooo[.]com:8820/CLoadPXP/lix.exe?pass=PXPa9682775lckbitXPRopGIXPIL
    hxxps://api.hellknight[.]xyz/js
    hxxps://gist.githubusercontent[.]com/demonic-agents/39e943f4de855e2aef12f34324cbf150/raw/e767e1cef1c35738689ba4df9c6f7f29a6afba1a/setup_c3pool_miner[.]sh

    MD5 hashes
    0450fe19cfb91660e9874c0ce7a121e0
    3ba4d5e0cf0557f03ee5a97a2de56511
    622f904bb82c8118da2966a957526a2b
    791f123b3aaff1b92873bd4b7a969387
    c6381ebf8f0349b8d47c5e623bbcef6b
    e82057e481a2d07b177d9d94463a7441

    securelist.com/cve-2025-55182-…

    #prototype #proto #constructor
  19. Christiaan Kras @Htbaa ·

    Started playing Plus on the Switch today. Have had it for 5 years now… I remember a friend playing this game backbone . But at the age we were I doubt he actually knew how to play it. I certainly didn’t.

    The game has a certain charm to it and a unique look. But wow is this game a lot to absorb! So many mechanics and layers. It can get a bit overwhelming and more often than not I’m confused on how to get something done. But it’s fun though! Just a lot to keep track of.

    #constructor #playstation
  20. Habr @[email protected] ·

    JavaScript: зачем конструктору return …

    Этот вопрос интересовал меня настолько давно, что за прошедшие годы даже стал как-то про него забывать. И не то, чтобы меня это прям как-то сильно интересовало, но всё же лучше понимать назначение было бы приятно. И, ведь, ну в самом деле, подумаешь, ну может разработчику хочеться вернуть не эземпляр, не instance, а какой-нибудь другой объект, и зачем-то при этом ему нужен именно вызов конструктора. Ну, допустим, он хочет чтобы new.target был заполнен и т.п., ну, мало ли какие варианты зачем-то иметь возможность в противном случае вернуть объект. Или может он хочет асинхронных конструкторов и вернуть new Promise, где уже в resolve передать this как вариант для создания await new MyConstructor . Или может быть хочет вернуть Proxy над this для отслеживания операций с этим экземпляром. В общем есть всякие разные причины когда гуманно было бы иметь этот "сахар", но всё же, может быть есть что-то, что иначе никак не сделать? И, самое важное, что эта функциональность былв всегда, с самой первой версии же. Понятно, что может быть про это вообще не думали, просто делали "как привычно". И, да, функции-конструкторы, в отличие от class-ов можно вызвать без new и в те времена никаких классов в JavaScript не было конечно, и return объективно был нужен, но может быть есть какие-нибудь варианты когда и с new имеется глубокий практический смысл уже и тогда существовали, то есть может быть назначение операции возврата иного значения конкретно у конструкторов вполне себе приемлемое. И, да, конечно, конструкторы не возвращают примитивы, но может быть и для объектов есть какое-то применение тоже находилось бы, ну, вдруг, внезапно, может быть ...

    habr.com/ru/articles/939050/

    #JavaScript #constructor #item

    #item #constructor #javascript
  21. Peter Kröner @[email protected] ·

    😭 TIL: can't have a private class field named "#constructor"
    tc39.es/ecma262/#sec-class-def

    #javascript #webdev

    #constructor #javascript #webdev
  22. IT News @[email protected] ·

    Constructor finds $55M for tech that powers search and discovery for e-commerce businesses - One of the biggest problems in the world of e-commerce is the predicament of sh... - feedproxy.google.com/~r/Techcr #silversmithcapitalpartners #artificialintelligence #technologydevelopment #onlineshopping #merchandising #googlesearch #sproutsocial #boardmember #constructor #jasonfinger #socialmedia #travelocity #better.com #carlsparks #co-founder #davidfraga #ecommerce

    #ecommerce #davidfraga #co #carlsparks #better #travelocity
  23. Jim Donegan 🎵 ✅ @[email protected] ·

    #LeeCronin and #LexFridman - The Greatest #Invention In The History Of The #Universe

    youtube.com/watch?v=6T_x3Teeq4

    #CellularAutomata #Life #Evolution #Computation #DataStorage #Replication #StateMachine #TuringMachine #VonNeuman #Replicator #Replicators #Constructor #Constructors #PhaseTransition #PhaseTransitions #Mutation

    #mutation #phasetransitions #phasetransition #constructors #constructor #replicators
  24. Jim Donegan 🎵 ✅ @[email protected] ·

    #LeeCronin and #LexFridman - The Greatest #Invention In The History Of The #Universe

    youtube.com/watch?v=6T_x3Teeq4

    #CellularAutomata #Life #Evolution #Computation #DataStorage #Replication #StateMachine #TuringMachine #VonNeuman #Replicator #Replicators #Constructor #Constructors #PhaseTransition #PhaseTransitions #Mutation

    #mutation #phasetransitions #phasetransition #constructors #constructor #replicators
  25. Jim Donegan 🎵 ✅ @[email protected] ·

    #LeeCronin and #LexFridman - The Greatest #Invention In The History Of The #Universe

    youtube.com/watch?v=6T_x3Teeq4

    #CellularAutomata #Life #Evolution #Computation #DataStorage #Replication #StateMachine #TuringMachine #VonNeuman #Replicator #Replicators #Constructor #Constructors #PhaseTransition #PhaseTransitions #Mutation

    #mutation #phasetransitions #phasetransition #constructors #constructor #replicators
  26. Jim Donegan 🎵 ✅ @[email protected] ·

    #LeeCronin and #LexFridman - The Greatest #Invention In The History Of The #Universe

    youtube.com/watch?v=6T_x3Teeq4

    #CellularAutomata #Life #Evolution #Computation #DataStorage #Replication #StateMachine #TuringMachine #VonNeuman #Replicator #Replicators #Constructor #Constructors #PhaseTransition #PhaseTransitions #Mutation

    #leecronin #lexfridman #invention #universe #cellularautomata #life
  27. Jim Donegan 🎵 ✅ @[email protected] ·

    #LeeCronin and #LexFridman - The Greatest #Invention In The History Of The #Universe

    youtube.com/watch?v=6T_x3Teeq4

    #CellularAutomata #Life #Evolution #Computation #DataStorage #Replication #StateMachine #TuringMachine #VonNeuman #Replicator #Replicators #Constructor #Constructors #PhaseTransition #PhaseTransitions #Mutation

    #mutation #phasetransitions #phasetransition #constructors #constructor #replicators
  28. Peter Kröner @[email protected] ·

    😭 TIL: can't have a private class field named "#constructor"

    tc39.es/ecma262/#sec-class-def

    #javascript #webdev

    #constructor #javascript #webdev
  29. TFed @[email protected] ·

    @IGVazquez I love #ranger and #neovim

    but at the same time I started to use #Emacs

    For me, they are specific tools, that made for different things.

    #Emacs is the best #Constructor ever, when #vim is the fastest thing ever.

    I love them both 🙂

    #neovim #emacs #vim #ranger #constructor
  30. Aral Balkan @[email protected] ·

    Realised last night that JavaScript Database (JSDB) doesn’t run the constructor on persisted custom objects (codeberg.org/small-tech/jsdb#c) when deserialising them because I didn’t know that you apparently have to define your constructor manually when using Object.create().

    Will fix it today but it’s something to watch out for if you’re using Object.create() directly.

    For more info, see developer.mozilla.org/en-US/do

    #JSDB #customObjects #constructor #bug #JavaScript #NodeJS #SmallTech #SmallWeb

    #jsdb #customobjects #constructor #bug #javascript #nodejs
  31. Habr @[email protected] ·

    Конструкторы-самозванцы в Kotlin

    Сегодня я хочу поговорить про интересные моменты в Kotlin, связанные с вызовами конструкторов классов. Или не совсем конструкторов? Или же совсем не конструкторов? Давайте разбираться. Это техническая статья для любителей языковых интересностей, не лишённая практического смысла.

    habr.com/ru/articles/805767/

    #kotlin #constructor #initialization #function

    #function #initialization #constructor #kotlin
  32. C. @[email protected] ·

    @awws

    I haven't looked for a PyPI module to do this, specifically. In the past, I've done simple functions with dict lookups to map keys from one source to a canonical value, or with Pydantic, use alternate constructors that you call depending on which source you're dealing with.

    Example at pastebin.com/8Xt5EK6R .

    #adapter #constructor #validation

    #adapter #constructor #validation
  33. ᛕᎥᕼᗷᗴᖇᑎᗴ丅Ꭵᑕᔕ @[email protected] ·

    The self-#constructor:

    #constructor
  34. ᛕᎥᕼᗷᗴᖇᑎᗴ丅Ꭵᑕᔕ @[email protected] ·

    #DNA is not a #blueprint describing the #structure or the #function of an #organism.
    It is rather a #recipe (an algorithm) that describes (#control) the #process of #construction, i.e. specifies what #action the #constructor has to perform at any moment depending on the constructor’s own #state and that of its #environment.

    The #function of the #organism is defined by its #structure as constructed by following the #DNA algorithm. Besides the functions involved in this process of self-construction and maintenance, a mature organism is also involved in the #production of #artifacts (messages, seeds) for dissemination (#communication) in the environment.

    #structure #function #organism #recipe #action #constructor
  35. Khürt Williams @[email protected] ·

    Camel POOP - Perl Object Oriented Programming

    I wrote this article for the CodeProject back in 2002 during my first consulting career as a web developer as a way to boost my visibility. I am capturing it here for my archives. The article is based on Perl 5.

    islandinthenet.com/camel-poop-

    #accessor #call #class #constructor #create #display