Last Week in AppSec for 08. January 2026

**Executive summary:** This Checkmarx Last Week In AppSec bulletin summarizes multiple security issues: active exploitation of the React2Shell deserialization flaw (observed payloads and exploitation in the wild), MongoBleed (a MongoDB memory disclosure allowing secret leakage), an AdonisJS multipart file write vulnerability enabling arbitrary/overwrite file writes, a RustFS hardcoded gRPC token enabling authentication bypass, and a modest malicious npm package related to Shai-Hulud with published IOCs; the report includes detection guidance, patches, and mitigations for defenders.