React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)
Vulnerability
Summary
Hide ▲
Show ▼
React2Shell (CVE-2025-55182) is being heavily exploited in React Server Components (RSC), with Huntress observing attackers deliver cryptocurrency miners and new malware families including PeerBlight, CowTunnel, and ZinFoq. Activity has targeted numerous organizations across sectors, especially construction and entertainment, and Huntress recorded the first attempt it saw on December 4, 2025 against a Windows endpoint through a vulnerable Next.js instance. Attackers also used a publicly available GitHub tool to identify vulnerable Next.js systems before starting intrusion activity.
Related Happenings
Magento exploitation wave for CVE-2026-45247
Exploitation Wave
H score9
First: 04.06.2026 10:19
Last: 04.06.2026 10:19
Sources 1
About this happening:
Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...
Magento exploitation wave for CVE-2026-45247
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware Activity
H score49
First: 02.06.2026 21:21
Last: 02.06.2026 21:21
Sources 1
About this happening:
**Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware ActivityAbout this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Latest development: 09.06.2026 15:26
Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.
JINX-0164 cryptocurrency recruitment-lure campaign
Campaign
H score39
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
JINX-0164 cryptocurrency recruitment-lure campaign
CampaignAbout this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
Shai-Hulud worm clone activity on NPM
Malware Activity
H score69
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation Wave
H score46
First: 17.05.2026 14:57
Last: 17.05.2026 14:57
Sources 1
About this happening:
**openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation WaveAbout this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
Timeline
-
09.03.2026 23:45 2 articles · 4mo ago
Google reports rapid exploitation of React2Shell in cloud attacks
Technical Analysis UpdateGoogle reports that newly disclosed third-party flaws are increasingly being exploited for initial access to cloud environments, with React2Shell (CVE-2025-55182) and CVE-2025-24893 highlighted as frequent RCE examples. The report says attackers are weaponizing new flaws within days, with cryptominers observed within 48 hours of vulnerability disclosure.
Show sources
- Google: Cloud attacks exploit flaws more than weak credentials — www.bleepingcomputer.com — 09.03.2026 23:45
- Automated Credential Harvesting Campaign Exploits React2Shell Flaw — www.darkreading.com — 06.04.2026 18:31
-
20.02.2026 23:07 1 articles · 4mo ago
Unknown actor probes global IPs for React2Shell exposure
Campaign Scope UpdateA possibly state-sponsored actor is using the ILovePoop toolkit to probe tens of millions of IP addresses worldwide for exposed React2Shell/CVE-2025-55182 systems, with apparent interest in government, defense, finance, and industrial organizations, particularly in the United States.
Show sources
- Attackers Use New Tool to Scan for React2Shell Exposure — www.darkreading.com — 20.02.2026 23:07
-
09.02.2026 10:37 2 articles · 5mo ago
TeamPCP exploits React2Shell in cloud-native infrastructure seeding
Exploitation ObservedAround December 25, 2025, TeamPCP's worm-driven activity leveraged exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and React2Shell (CVE-2025-55182, CVSS score: 10.0) to seed malicious cloud infrastructure for follow-on exploitation against React/Next.js applications.
Show sources
- TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure — thehackernews.com — 09.02.2026 10:37
- React2Shell Exploitation Delivers Crypto Miners and New Malware Across Multiple Sectors — thehackernews.com — 10.12.2025 22:19
-
09.02.2026 10:37 1 articles · 5mo ago
Researchers publish TeamPCP cloud-native campaign analysis
Initial DisclosureOn 2026-02-09, cybersecurity researchers publicly attributed the campaign to TeamPCP (aka DeadCatx3, PCPcat, PersyPCP, and ShellForce) and described it as a cloud-native cybercrime platform that uses misconfigured Docker APIs, Kubernetes APIs, Ray dashboards, Redis servers, and vulnerable React/Next.js applications to support scanning, proxying, data theft, extortion, and monetization.
Show sources
- TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure — thehackernews.com — 09.02.2026 10:37