Find notable cyber news and cases, enriched with sources, timelines, and signals.

Active web traffic hijacking campaign targeting NGINX and Baota panels

Campaign
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

An active web traffic hijacking campaign is targeting NGINX installations and Baota (BT) management panels, putting legitimate site traffic at risk of redirection through attacker infrastructure. The operation injects malicious configuration files that capture selected URL paths and forward requests with proxy_pass. It has been observed alongside React2Shell (CVE-2025-55182) exploitation and uses shell-script tooling to persist on exposed servers. The targeting spans Asian TLDs and government and educational domains, making the intrusion scope broad rather than isolated.

Related Happenings

NGINX web server critical flaws (multiple vulnerabilities)

Vulnerability
H score38 First: 18.06.2026 14:33 Last: 18.06.2026 14:33 Sources 1

About this happening: **NGINX** had two critical web server vulnerabilities, **CVE-2026-42530** and **CVE-2026-42055**, that can let **remote unauthenticated attackers** trigger **remote code execution...

NGINX and Apache HTTPD HTTP/2 Bomb mitigations

Advisory/Mitigation
H score46 First: 03.06.2026 11:33 Last: 03.06.2026 11:33 Sources 1

About this happening: Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...

React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)

Vulnerability
H score54 First: 09.02.2026 10:37 Last: 09.02.2026 10:37 Sources 1

About this happening: **React2Shell (CVE-2025-55182)** is being **heavily exploited** in **React Server Components (RSC)**, with Huntress observing attackers deliver **cryptocurrency miners** and new m...

Latest development: 09.03.2026 23:45

Google reports that newly disclosed third-party flaws are increasingly being exploited for initial access to cloud environments, with React2Shell (CVE-2025-55182) and CVE-2025-24893 highlighted as frequent RCE examples. The report says attackers are weaponizing new flaws within days, with cryptominers observed within 48 hours of vulnerability disclosure.

NGINX traffic hijacking campaign targeting Asian and government domains

Campaign
H score30 First: 05.02.2026 01:26 Last: 05.02.2026 01:26 Sources 1

About this happening: A **threat actor** is running an active **traffic-hijacking campaign** against **NGINX servers**, rerouting user requests through attacker infrastructure and increasing the risk o...

NGINX hijack toolkit that injects configs and exfiltrates mapping data

Malware Activity
H score16 First: 05.02.2026 01:26 Last: 05.02.2026 01:26 Sources 1

About this happening: A **scripted multi-stage toolkit** is automating **NGINX configuration injection**, **service reloads**, and **C2 exfiltration** to hijack traffic on compromised hosts. The toolki...

Timeline

  1. 05.02.2026 06:56 2 articles · 5mo ago

    Initial report: Active web traffic hijacking campaign targeting NGINX and Baota panels

    Initial Disclosure

    Initial access appears to come from **React2Shell (CVE-2025-55182)** exploitation, after which shell scripts deploy malicious NGINX configuration files to establish traffic redirection. The earliest stage focuses on persistence and on changing reverse-proxy behavior before user requests are forwarded onward.

    Show sources