Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Active web traffic hijacking campaign targeting NGINX and Baota panels

Campaign
First reported
Last updated
Happening score
H score 49
1 unique sources, 1 articles

Summary

Hide ▲

An active web traffic hijacking campaign is targeting NGINX installations and Baota (BT) management panels, putting legitimate site traffic at risk of redirection through attacker infrastructure. The operation injects malicious configuration files that capture selected URL paths and forward requests with proxy_pass. It has been observed alongside React2Shell (CVE-2025-55182) exploitation and uses shell-script tooling to persist on exposed servers. The targeting spans Asian TLDs and government and educational domains, making the intrusion scope broad rather than isolated.

Related Happenings

React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)

Vulnerability
First: 09.02.2026 10:37 Last: 09.02.2026 10:37 Sources 1

About this happening: **React2Shell (CVE-2025-55182)** is being **heavily exploited** in **React Server Components (RSC)**, with Huntress observing attackers deliver **cryptocurrency miners** and new m...

Latest development: 09.03.2026 23:45

Google reports that newly disclosed third-party flaws are increasingly being exploited for initial access to cloud environments, with React2Shell (CVE-2025-55182) and CVE-2025-24893 highlighted as frequent RCE examples. The report says attackers are weaponizing new flaws within days, with cryptominers observed within 48 hours of vulnerability disclosure.

Open Happening

NGINX traffic hijacking campaign targeting Asian and government domains

Campaign
First: 05.02.2026 01:26 Last: 05.02.2026 01:26 Sources 1

About this happening: A **threat actor** is running an active **traffic-hijacking campaign** against **NGINX servers**, rerouting user requests through attacker infrastructure and increasing the risk o...

Open Happening

NGINX hijack toolkit that injects configs and exfiltrates mapping data

Malware Activity
First: 05.02.2026 01:26 Last: 05.02.2026 01:26 Sources 1

About this happening: A **scripted multi-stage toolkit** is automating **NGINX configuration injection**, **service reloads**, and **C2 exfiltration** to hijack traffic on compromised hosts. The toolki...

Open Happening

Bizarre Bazaar campaign targeting exposed LLM and MCP endpoints

Campaign
First: 28.01.2026 15:15 Last: 28.01.2026 15:15 Sources 1

About this happening: **Bizarre Bazaar** is an active **LLMjacking** campaign targeting **exposed LLM and MCP endpoints** to monetize unauthorized access to AI infrastructure. Researchers say the opera...

Latest development: 29.01.2026 20:37

Researchers said Operation Bizarre Bazaar, an LLMjacking marketplace that scans for exposed Ollama, vLLM, and OpenAI-compatible APIs without authentication and resells access through silver[.]inc, has been traced to Hecker (aka Sakuya and LiveGamer101).

Open Happening

ConsentFix browser-native OAuth consent phishing campaign

Campaign
First: 14.01.2026 17:01 Last: 14.01.2026 17:01 Sources 1

About this happening: The **ConsentFix** campaign is a **ClickFix**-style **OAuth consent phishing** operation that hijacks **Microsoft accounts** by abusing the **Azure CLI OAuth app**. In the reporte...

Open Happening

Timeline

  1. 05.02.2026 06:56 2 articles · 3mo ago

    Initial report: Active web traffic hijacking campaign targeting NGINX and Baota panels

    Initial Disclosure

    Initial access appears to come from **React2Shell (CVE-2025-55182)** exploitation, after which shell scripts deploy malicious NGINX configuration files to establish traffic redirection. The earliest stage focuses on persistence and on changing reverse-proxy behavior before user requests are forwarded onward.

    Show sources
    Open in new tab