Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Five Chinese hacking groups' React2Shell exploitation campaign

Campaign
First reported
Last updated
Happening score
H score 59
1 unique sources, 1 articles

Summary

Hide ▲

Five Chinese hacking groups have joined ongoing React2Shell attacks against CVE-2025-55182, expanding active exploitation of exposed React and Next.js systems. The campaign matters because the flaw enables unauthenticated remote code execution with a single HTTP request. Defenders are already tracking over 116,000 vulnerable IP addresses, showing that the attack surface is large and still exposed.

Related Happenings

Google GTIG analysis of adversary AI use for exploit development and attack orchestration

Technical Analysis
First: 11.05.2026 16:00 Last: 11.05.2026 16:00 Sources 1

About this happening: **Google Threat Intelligence Group** published findings showing **adversaries using AI** for **exploit development** and **attack orchestration**, signaling that model-assisted tr...

Open Happening

SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets

Campaign
First: 01.05.2026 17:02 Last: 01.05.2026 17:02 Sources 1

About this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...

Open Happening

UNC1069 open-source maintainer social-engineering campaign

Campaign
First: 04.04.2026 23:30 Last: 04.04.2026 23:30 Sources 1

About this happening: UNC1069's **coordinated social-engineering campaign** against **Node.js and npm maintainers** has widened, with multiple developers reporting the same lure pattern and the potenti...

Latest development: 06.04.2026 23:55

Security researcher Taylor Monahan and Socket reported that members of the open source software community, including Socket engineers and CEO Feross Aboukhadijeh, were targeted by the same slow-burn LinkedIn, Slack, and Microsoft Teams social engineering playbook used against Axios maintainer Jason Saayman, indicating the campaign was wider than a single Axios compromise.

Open Happening

React2Shell (CVE-2025-55182) mass scanning and exploitation wave

Exploitation Wave
First: 20.02.2026 23:07 Last: 20.02.2026 23:07 Sources 1

How related: Over the weekend, ​Google's threat intelligence team linked five more Chinese hacking groups to attacks exploiting the maximum-severity "React2Shell" remote code execution vulnerability.

About this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...

Open Happening

React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)

Vulnerability
First: 09.02.2026 10:37 Last: 09.02.2026 10:37 Sources 1

About this happening: **React2Shell (CVE-2025-55182)** is being **heavily exploited** in **React Server Components (RSC)**, with Huntress observing attackers deliver **cryptocurrency miners** and new m...

Latest development: 09.03.2026 23:45

Google reports that newly disclosed third-party flaws are increasingly being exploited for initial access to cloud environments, with React2Shell (CVE-2025-55182) and CVE-2025-24893 highlighted as frequent RCE examples. The report says attackers are weaponizing new flaws within days, with cryptominers observed within 48 hours of vulnerability disclosure.

Open Happening

Timeline

  1. 15.12.2025 14:46 1 articles · 5mo ago

    CVE-2025-55182 disclosure and early exploitation

    Initial Disclosure

    CVE-2025-55182, the maximum-severity React2Shell remote code execution flaw, was disclosed on December 3, 2025 and enabled unauthenticated attackers to run arbitrary code in React and Next.js applications with a single HTTP request; vulnerable releases included React 19.0, 19.1.0, 19.1.1, and 19.2.0, and multiple react-server-dom-* packages were vulnerable in default configurations.

    Show sources
    Open in new tab
  2. 15.12.2025 14:46 1 articles · 5mo ago

    Five more Chinese groups join React2Shell exploitation

    Exploitation Observed

    On Saturday, December 13, 2025, Google Threat Intelligence Group said at least five more Chinese cyber-espionage groups had joined ongoing React2Shell exploitation against exposed React and Next.js systems; the newly linked groups were UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595, with tooling and payloads including MINOCAT, SNOWLIGHT, COMPOOD, HISONIC, and ANGRYREBEL.LINUX.

    Show sources
    Open in new tab
  3. 15.12.2025 14:46 2 articles · 5mo ago

    React2Shell campaign widens across breached organizations and exposed systems

    Campaign Scope Update

    By December 15, 2025, Google Threat Intelligence Group said the React2Shell campaign had broadened to include Iranian threat actors and financially motivated operators using XMRig on unpatched systems, while Palo Alto Networks reported dozens of breached organizations and AWS warned that Earth Lamia and Jackpot Panda were exploiting the flaw within hours of disclosure to steal AWS configuration files, credentials, and other sensitive information; Shadowserver was tracking more than 116,000 vulnerable IP addresses and GreyNoise had seen over 670 exploit attempts in the preceding 24 hours.

    Show sources
    Open in new tab