Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)

Vulnerability
First reported
Last updated
Happening score
H score 66
3 unique sources, 5 articles

Summary

Hide ▲

React2Shell (CVE-2025-55182) is being heavily exploited in React Server Components (RSC), with Huntress observing attackers deliver cryptocurrency miners and new malware families including PeerBlight, CowTunnel, and ZinFoq. Activity has targeted numerous organizations across sectors, especially construction and entertainment, and Huntress recorded the first attempt it saw on December 4, 2025 against a Windows endpoint through a vulnerable Next.js instance. Attackers also used a publicly available GitHub tool to identify vulnerable Next.js systems before starting intrusion activity.

Related Happenings

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)

Exploitation Wave
First: 17.05.2026 14:57 Last: 17.05.2026 14:57 Sources 1

About this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...

Open Happening

TeamPCP campaign expands across multiple victims

Campaign
First: 15.05.2026 13:54 Last: 15.05.2026 13:54 Sources 1

About this happening: The **TeamPCP / Mini Shai-Hulud** supply-chain operation is actively compromising **hundreds of packages**, exposing **downstream developers** to **malware delivery** and **creden...

Open Happening

Mistral AI hit by network compromise

Incident
First: 15.05.2026 01:50 Last: 15.05.2026 01:50 Sources 1

About this happening: Mistral AI disclosed a **codebase management system compromise** tied to the **Mini Shai-Hulud** supply-chain attack, and the intrusion briefly contaminated some **SDK packages**....

Open Happening

Mini Shai-Hulud supply-chain campaign targeting npm and PyPI

Campaign
First: 12.05.2026 17:45 Last: 12.05.2026 17:45 Sources 1

About this happening: The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...

Latest development: 21.05.2026 11:00

Grafana Labs said its GitHub environment was accessed and its codebase downloaded, with additional internal operational information taken from GitHub repositories, after compromise linked to the Mini Shai-Hulud campaign and TanStack npm packages. Grafana said it first spotted malicious activity on May 11, discovered the unauthorized download on May 17, and after contact from the ransom gang rotated automation tokens, enabled enhanced monitoring, audited commits since the May 11 incident, and hardened its GitHub security posture, while saying there is no indication customer production systems or operations were compromised.

Open Happening

Timeline

  1. 09.03.2026 23:45 2 articles · 2mo ago

    Google reports rapid exploitation of React2Shell in cloud attacks

    Technical Analysis Update

    Google reports that newly disclosed third-party flaws are increasingly being exploited for initial access to cloud environments, with React2Shell (CVE-2025-55182) and CVE-2025-24893 highlighted as frequent RCE examples. The report says attackers are weaponizing new flaws within days, with cryptominers observed within 48 hours of vulnerability disclosure.

    Show sources
    Open in new tab
  2. 20.02.2026 23:07 1 articles · 3mo ago

    Unknown actor probes global IPs for React2Shell exposure

    Campaign Scope Update

    A possibly state-sponsored actor is using the ILovePoop toolkit to probe tens of millions of IP addresses worldwide for exposed React2Shell/CVE-2025-55182 systems, with apparent interest in government, defense, finance, and industrial organizations, particularly in the United States.

    Show sources
    Open in new tab
  3. 09.02.2026 10:37 2 articles · 3mo ago

    TeamPCP exploits React2Shell in cloud-native infrastructure seeding

    Exploitation Observed

    Around December 25, 2025, TeamPCP's worm-driven activity leveraged exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and React2Shell (CVE-2025-55182, CVSS score: 10.0) to seed malicious cloud infrastructure for follow-on exploitation against React/Next.js applications.

    Show sources
    Open in new tab
  4. 09.02.2026 10:37 1 articles · 3mo ago

    Researchers publish TeamPCP cloud-native campaign analysis

    Initial Disclosure

    On 2026-02-09, cybersecurity researchers publicly attributed the campaign to TeamPCP (aka DeadCatx3, PCPcat, PersyPCP, and ShellForce) and described it as a cloud-native cybercrime platform that uses misconfigured Docker APIs, Kubernetes APIs, Ray dashboards, Redis servers, and vulnerable React/Next.js applications to support scanning, proxying, data theft, extortion, and monetization.

    Show sources
    Open in new tab