Telegram bots fuel React2Shell raids

Hackers have turned a critical React Server Components flaw into a structured exploitation operation, using Telegram bots, automated scanners and AI-assisted tooling to track more than 900 confirmed compromises across internet-facing applications.

The campaign centres on React2Shell, tracked as CVE-2025-55182, a maximum-severity remote code execution vulnerability disclosed in December 2025. The flaw affects React 19.0, 19.1.0, 19.1.1 and 19.2.0 through packages including react-server-dom-webpack, react-server-dom-parcel and react-server-dom-turbopack, and can allow unauthenticated attackers to execute commands on vulnerable servers through crafted HTTP requests.

Fresh evidence from an exposed server tied to a platform known as Bissa scanner indicates that the operation was not limited to opportunistic probing. The infrastructure was used for multi-victim exploitation, staging, validation and review, with logs showing automated workflows to scan targets, score successful hits, harvest secrets and send alerts to Telegram accounts controlled by the attackers.

The findings underline a shift in web exploitation tactics. Rather than relying only on public proof-of-concept code, the operators appear to have built a repeatable pipeline that blends mass scanning with human review. Telegram served as a command and notification layer, allowing operators to receive real-time updates when vulnerable systems were identified or compromised.

React2Shell has drawn intense attention because React and Next. js are widely used in modern web applications, including e-commerce platforms, dashboards, software-as-a-service products and cloud-hosted portals. Vulnerable deployments are especially exposed when they run affected React Server Components or framework versions without patched dependencies.

The exposed Bissa scanner environment contained project files, operational logs and tooling artefacts that pointed to activity across large numbers of domains. The material showed successful exploitation of more than 900 systems, with millions of targets scanned. The number does not necessarily represent the full scope of affected organisations, as compromised servers may include test systems, staging environments and production applications belonging to different entities.

The vulnerability’s severity stems from its pre-authentication nature. Attackers do not need valid credentials if a vulnerable endpoint is reachable. Once code execution is achieved, they may attempt to read environment variables, steal cloud keys, extract database credentials, deploy web shells, install miners or pivot deeper into connected infrastructure.

Security teams have warned that exposed secrets are among the most damaging outcomes of these attacks. Environment files and application configuration stores often contain API tokens, database passwords, session secrets and credentials for cloud services. Once stolen, these can remain useful to attackers even after the vulnerable application itself is patched.

The campaign also reflects the growing use of AI coding and orchestration tools by malicious operators. Artefacts linked to the exposed platform indicate that tools such as Claude Code and OpenClaw were used to support workflow automation and operator-side tasks. That does not mean the exploitation was autonomous from end to end, but it shows how threat actors are adopting developer productivity tools to accelerate offensive operations.

React2Shell was patched through updated React packages, including 19.0.1, 19.1.2 and 19.2.1. Next. js also issued fixed versions across multiple release lines, including 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7 and 16.0.7. Organisations running affected versions have been urged to update framework-level dependencies, not only top-level packages, because vulnerable components may be pulled in indirectly.

Attack activity began shortly after public disclosure, with multiple groups testing the flaw across exposed services. Earlier exploitation involved state-linked and criminal actors seeking access to sectors including finance, logistics, retail, technology, education and government services. The latest Telegram-linked operation shows how the same vulnerability is being industrialised by broader attacker communities months after patches became available.

The challenge for defenders is complicated by fragmented JavaScript dependency chains. Many organisations do not have a complete inventory of React Server Components usage, especially where applications have been built by external vendors or deployed through older templates. Security teams are being advised to search software bills of materials, lock files and container images for vulnerable package versions.