Hackers Exploit Global Vulnerability
In a recent cybersecurity breach, over 900 companies worldwide have fallen victim to a sophisticated attack leveraging the React2Shell vulnerability. This operation was orchestrated using advanced tools, including AI and Telegram bots, to infiltrate and extract sensitive data from numerous organizations. The attackers employed a tool known as the ‘Bissa scanner’ to target internet-facing web applications on a massive scale. This allowed them to gather vital credentials and send real-time alerts directly to the attacker’s Telegram account.
Understanding the React2Shell Vulnerability
At the core of these attacks lies a critical vulnerability in Next.js, identified as CVE-2025-55182, commonly referred to as React2Shell. This flaw enabled attackers to target millions of web servers, accessing sensitive environment files that often contain crucial passwords and API keys. The threat actors meticulously organized their efforts, focusing on financial institutions, cryptocurrency platforms, and retail companies, which were severely impacted.
The DFIR Report analysts uncovered the full extent of this cyber campaign when they found an exposed server containing over 13,000 files across more than 150 directories. This server was not merely a data repository but a well-structured operation with scripts for exploitation, credential harvesting, and access validation all in one location.
Automation and Efficiency in Cyberattacks
The attackers enhanced their operation’s efficiency through automation, utilizing tools such as Claude Code and OpenClaw. These tools supported troubleshooting and workflow management, streamlining the exploitation process. A significant aspect of this breach was the use of Telegram for real-time notifications. The attackers used a Telegram bot, @bissapwned_bot, to receive instant alerts for each successful React2Shell exploit. Each alert included detailed information about the victim’s identity and security posture, allowing the attacker to prioritize breaches efficiently.
The scale of credential theft was extensive, with the attackers collecting keys and tokens from major AI providers, cloud platforms, and payment systems. Between April 10 and April 21, 2026, the attackers uploaded over 65,000 archived files to a cloud storage bucket, demonstrating the operation’s automated and continuous nature.
Critical Measures for Cyber Defense
The discovery of this operation highlights the need for robust cybersecurity measures. The DFIR Report researchers recommend several defensive actions. Organizations should ensure they patch vulnerabilities promptly and subscribe to vendor advisories to prevent critical CVEs from going undetected. It’s crucial to store production credentials securely and limit their access and lifetime. Monitoring outbound traffic and regularly rotating credentials can also help protect against such sophisticated attacks.
As the threat landscape evolves, companies must remain vigilant and proactive in securing their digital assets. Implementing these defensive strategies can mitigate the risks posed by advanced cyber threats like the React2Shell vulnerability.
