Find notable cyber news and cases, enriched with sources, timelines, and signals.

React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)

Vulnerability
First reported
Last updated
Happening score
H score 54
3 unique sources, 5 articles

Summary

Hide ▲

React2Shell (CVE-2025-55182) is being heavily exploited in React Server Components (RSC), with Huntress observing attackers deliver cryptocurrency miners and new malware families including PeerBlight, CowTunnel, and ZinFoq. Activity has targeted numerous organizations across sectors, especially construction and entertainment, and Huntress recorded the first attempt it saw on December 4, 2025 against a Windows endpoint through a vulnerable Next.js instance. Attackers also used a publicly available GitHub tool to identify vulnerable Next.js systems before starting intrusion activity.

Related Happenings

Magento exploitation wave for CVE-2026-45247

Exploitation Wave
H score9 First: 04.06.2026 10:19 Last: 04.06.2026 10:19 Sources 1

About this happening: Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...

Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel

Malware Activity
H score49 First: 02.06.2026 21:21 Last: 02.06.2026 21:21 Sources 1

About this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....

Latest development: 09.06.2026 15:26

Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.

JINX-0164 cryptocurrency recruitment-lure campaign

Campaign
H score39 First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...

Shai-Hulud worm clone activity on NPM

Malware Activity
H score69 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)

Exploitation Wave
H score46 First: 17.05.2026 14:57 Last: 17.05.2026 14:57 Sources 1

About this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...

Timeline

  1. 09.03.2026 23:45 2 articles · 4mo ago

    Google reports rapid exploitation of React2Shell in cloud attacks

    Technical Analysis Update

    Google reports that newly disclosed third-party flaws are increasingly being exploited for initial access to cloud environments, with React2Shell (CVE-2025-55182) and CVE-2025-24893 highlighted as frequent RCE examples. The report says attackers are weaponizing new flaws within days, with cryptominers observed within 48 hours of vulnerability disclosure.

    Show sources
  2. 20.02.2026 23:07 1 articles · 4mo ago

    Unknown actor probes global IPs for React2Shell exposure

    Campaign Scope Update

    A possibly state-sponsored actor is using the ILovePoop toolkit to probe tens of millions of IP addresses worldwide for exposed React2Shell/CVE-2025-55182 systems, with apparent interest in government, defense, finance, and industrial organizations, particularly in the United States.

    Show sources
  3. 09.02.2026 10:37 2 articles · 5mo ago

    TeamPCP exploits React2Shell in cloud-native infrastructure seeding

    Exploitation Observed

    Around December 25, 2025, TeamPCP's worm-driven activity leveraged exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and React2Shell (CVE-2025-55182, CVSS score: 10.0) to seed malicious cloud infrastructure for follow-on exploitation against React/Next.js applications.

    Show sources
  4. 09.02.2026 10:37 1 articles · 5mo ago

    Researchers publish TeamPCP cloud-native campaign analysis

    Initial Disclosure

    On 2026-02-09, cybersecurity researchers publicly attributed the campaign to TeamPCP (aka DeadCatx3, PCPcat, PersyPCP, and ShellForce) and described it as a cloud-native cybercrime platform that uses misconfigured Docker APIs, Kubernetes APIs, Ray dashboards, Redis servers, and vulnerable React/Next.js applications to support scanning, proxying, data theft, extortion, and monetization.

    Show sources