Ongoing exploitation of the React2Shell vulnerability (CVE-2025-55182)—previously detailed in coverage of China-nexus and cybercriminal campaigns—now includes widespread Linux backdoor installations, arbitrary command execution, and large-scale theft of cloud credentials.
Following earlier reports on PeerBlight and subsequent attacks by groups like UNC6600, UNC6586, UNC6588, UNC6603, and financially motivated actors deploying malware such as MINOCAT, SNOWLIGHT, HISONIC, COMPOOD, ANGRYREBEL.LINUX, and XMRig miners, cybersecurity researchers confirm active, large-scale exploitation of React2Shell (CVE-2025-55182).
Attackers continue leveraging this critical RCE flaw (CVSS 10.0, affecting React 19.0–19.2.0) to install backdoors on Linux systems, execute arbitrary commands, and target cloud credentials for theft.
While patches are available (React 19.0.1, 19.1.2, 19.2.1+), the persistent threats underscore the need for administrators to apply mitigations like Cloud Armor WAF, monitor IOCs from prior coverage, and secure React/Next.js applications amid software supply chain risks.
