Understanding Current Threats to Kubernetes Environments

**Executive Summary:** This Unit 42 report documents a significant increase in Kubernetes-targeted activity—including a 282% rise in token-stealing operations—demonstrating how adversaries exploit misconfigurations and the React2Shell vulnerability (CVE-2025-55182) to gain pod runtime execution, harvest service account tokens and cloud credentials, and pivot to cloud-hosted backend systems; case studies include cryptocurrency exchange compromises attributed to the North Korean group Slow Pisces (Lazarus), and the paper provides IOCs, mapped MITRE ATT&CK techniques, and practical mitigation guidance such as strict RBAC, short‑lived projected service account tokens, and runtime detection with XDR.