"React2Shell continues to witness heavy exploitation, with threat actors leveraging the maximum-severity security flaw in React Server Components (RSC) to deliver cryptocurrency miners and an array of previously undocumented malware families, according to new findings from Huntress. This includes a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based post-exploitation implant referred to as ZinFoq. The cybersecurity company said it has observed attackers targeting numerous organizations via CVE-2025-55182, a critical security vulnerability in RSC that allows unauthenticated remote code execution."
"The first recorded exploitation attempt on a Windows endpoint by Huntress dates back to December 4, 2025, when an unknown threat actor exploited a vulnerable instance of Next.js to drop a shell script, followed by commands to drop a cryptocurrency miner and a Linux backdoor. In two other cases, attackers were observed launching discovery commands and attempting to download several payloads from a command-and-control (C2) server."
Attackers exploit CVE-2025-55182 in React Server Components to gain unauthenticated remote code execution and deliver cryptocurrency miners and novel malware. Observed payloads include Linux backdoor PeerBlight, reverse-proxy tunnel CowTunnel, and a Go-based implant ZinFoq. Exploitation has targeted numerous organizations across sectors, notably construction and entertainment, with the first recorded Windows endpoint attempt on December 4, 2025, involving a vulnerable Next.js instance that dropped a shell script, miner, and Linux backdoor. Attackers used discovery commands, attempted to download payloads from C2 servers, and employed public GitHub tools to identify vulnerable Next.js instances. Automation likely drives broad, OS-agnostic deployment.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]