React2Shell Cyberstorm: How 59,000 Servers Fell in Just 48 Hours

Listen to this Post

Featured Image

Introduction: A Silent Breach Spreading at Machine Speed

In the world of modern web development, frameworks like React and Next.js are trusted as the backbone of thousands of startups, enterprises, and cloud platforms. That trust was violently shaken when a fast moving exploitation campaign, now tracked as React2Shell, tore through global infrastructure in less than two days. What initially looked like scattered compromises quickly revealed itself as an industrial scale attack, automated, coordinated, and designed for persistence. More than 59,000 servers were confirmed compromised in just 48 hours, and the pace shows no sign of slowing.

Summary of the React2Shell Campaign

The React2Shell operation is a large scale exploitation campaign that abuses two critical remote code execution vulnerabilities in Next.js and React environments, identified as CVE-2025-29927 and CVE-2025-66478. These flaws allow attackers to execute arbitrary system commands by abusing prototype pollution and command injection weaknesses inside the Next.js runtime. The threat actor, operating under the name “PCP Cat”, uses a custom Python module called react.py to deliver malicious JSON payloads. These payloads tamper with the internal _response object of vulnerable applications, enabling execution of commands via child_process.execSync(). Once executed, the compromised server returns command output through manipulated redirect headers, confirming full remote control. After initial access, the malware aggressively hunts for sensitive assets, including .env files, SSH private keys, AWS credentials, Docker secrets, and GitHub tokens. Honeypot analysis confirmed that stolen data is continuously exfiltrated to a centralized command and control API hosted at 67.217.57.240:5656. The infrastructure behind the campaign is fully automated and API driven, capable of managing tens of thousands of infected nodes at the same time. Examination of the exposed /stats endpoint showed that more than 91,500 systems were scanned, with a success rate of 64.6 percent, resulting in 59,128 confirmed compromises. Targeting appears random but systematic, scanning approximately 2,000 IP addresses every 45 minutes. Once a system is breached, a persistence script named proxy.sh is fetched from the same server on port 666. This script installs GOST and FRP tunneling tools to establish SOCKS5 and reverse proxy backchannels on ports 1080 and 888. These tunnels enable long term access, lateral movement, and covert traffic routing. The malware also installs systemd services such as pcpcat-frp.service and pcpcat-gost.service to ensure automatic startup and resilience after reboots. Logs recovered from infected machines include the taunting signature “UwU PCP Cat was here~”, linking the operation to Telegram channels used for coordination and recruitment. Researchers mapping the activity to MITRE ATT&CK techniques identified exploitation of public facing applications, exfiltration over command and control channels, and persistent service creation. Security teams warn that if left unchecked, the same propagation rate could lead to more than 1.2 million compromised systems within a month.

What Undercode Say: Why This Attack Changes the Risk Model

Industrial Automation Marks a New Phase

This campaign is not just another opportunistic scan. It represents a shift toward fully automated exploitation pipelines that treat vulnerable servers as inventory. The exposed /stats endpoint alone shows how confidently the attackers operate at scale.

Next.js as a High Value Target

Next.js is widely deployed in production environments, often exposed directly to the internet and tightly integrated with cloud secrets. A single vulnerability here does not just affect a website, it can unlock entire cloud ecosystems.

Prototype Pollution Remains Underestimated

Prototype pollution continues to be treated as a theoretical risk by many teams. React2Shell proves that when combined with runtime command execution paths, it becomes a direct gateway to full system compromise.

Credential Theft Is the Real Objective

The malware’s focus on .env files and cloud credentials shows that persistence is only part of the plan. Stolen tokens allow attackers to pivot into CI pipelines, container registries, and production cloud accounts long after the initial exploit.

Persistence Through Legitimate Tools

By using FRP and GOST, tools often seen in legitimate network setups, the attackers blend into normal traffic patterns. This makes detection far more difficult for teams relying solely on signature based monitoring.

Random Scanning Still Works

Despite years of warnings, random IP scanning continues to succeed because patch cycles lag behind disclosure. The 64.6 percent success rate is a harsh reminder of how many exposed services remain unprotected.

Telegram as an Operations Hub

The use of public Telegram channels highlights how threat actors increasingly rely on mainstream platforms for coordination, branding, and psychological signaling rather than hiding entirely in the dark web.

Cloud Security Assumptions Are Failing

Many organizations assume their cloud providers will absorb most security risk. React2Shell demonstrates that vulnerabilities in application code can bypass those assumptions entirely.

Detection Requires Behavioral Thinking

Traditional antivirus and static rules will miss much of this activity. Behavioral indicators such as unexpected outbound tunnels, rogue systemd services, and anomalous child process execution are now critical signals.

The Clock Is Working Against Defenders

At the current propagation rate, response delays of days instead of hours can mean thousands of additional compromised systems. Patch management and exposure monitoring are no longer routine tasks, they are emergency controls.

Fact Checker Results

✅ The exploitation of CVE-2025-29927 and CVE-2025-66478 aligns with observed remote code execution behavior.
✅ Infrastructure details, scanning rates, and compromise numbers are consistent with honeypot and telemetry data.
❌ Long term attribution to a single actor remains uncertain due to shared tooling and public coordination channels.

Prediction

📊 If patch adoption remains slow, React2Shell style automation will become the default model for future web exploitation campaigns.
📊 Next.js and similar frameworks will see increased scrutiny, faster weaponization of bugs, and higher exploit value.
📊 Organizations that fail to monitor outbound tunnels and credential abuse will face silent, long lived compromises rather than visible outages.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon