A serious security blunder in a fundamental piece of web technology, known as React Server Components (RSC), is causing a massive spike in cyberattacks across the world. Attackers are currently taking advantage of this top-level security hole, which has been dubbed React2Shell, to secretly install tools that mine cryptocurrency and to drop a variety of brand-new, unseen malware onto company networks. Security researchers are calling this a major crisis, demanding immediate action from affected organizations.

Zero-Day Flaw Allows Total System Takeover

The root of this massive problem is a critical security vulnerability tracked as CVE-2025-55182. Experts have confirmed this bug in RSC allows for “unauthenticated remote code execution.” In simple language, this means a hacker can run their own malicious code on a target’s server without needing a username, password, or any kind of access permission. This capability gives cybercriminals a free pass to take full control of the vulnerable server.

Since the first major attack attempts were logged around December 4, 2025, security company Huntress has witnessed a non-stop barrage of attacks hitting countless organizations. The attacks are not limited to one area; they are hitting a diverse group of companies, but the construction and entertainment sectors seem to be heavily targeted right now. The earliest known attack on a Windows machine involved a hacker exploiting a vulnerable Next.js setup, which uses RSC, to quickly drop a script that began installing a cryptocurrency miner and a sneaky Linux-based backdoor.

Further investigation into multiple intrusion cases shows that attackers are running discovery commands to map out the network and then fetching different tools from their central control centers. This fast-paced, widespread activity, which includes using a publicly available tool from GitHub to scan the internet for vulnerable Next.js instances, strongly suggests that the attackers are using automated tools to carry out their initial strikes. The sheer speed of the attacks and the fact that the tools sometimes try to deploy Linux-specific malware on Windows computers confirm that the hackers are using “fire and forget” automated systems that do not distinguish between different types of target computers.

New Malware Families Emerge from the Attacks

The threat goes far beyond simple cryptocurrency mining. Attackers are using the React2Shell vulnerability to push a whole new set of complex, undocumented malware designed for long-term presence and data theft.

The new malware families identified by security experts include:

• PeerBlight: A highly advanced Linux backdoor that borrows techniques from older malware like RotaJakiro. It’s designed to stay hidden by pretending to be a legitimate system process called “ksoftirqd” and sets itself up as a system service to ensure it restarts every time the machine boots up. It can upload, download, and delete files, and most dangerously, open a reverse connection to the attacker, giving them a live terminal to control the system.

• CowTunnel: A cleverly designed reverse proxy tool. Its job is to create an outbound connection to the hacker’s own server. This allows the attackers to bypass standard firewalls, which are often set up only to block connections coming into the network, not those going out.

• ZinFoq: A powerful, flexible framework written in the Go programming language. Once on a system, it provides a full suite of post-exploitation tools, allowing the hacker to interact with the system, move files around, pivot to other computers on the network, and even change the time stamps on its own files to look less suspicious.

The Self-Healing, Hidden Networks

The complexity of these new tools is a major worry. PeerBlight, for instance, has multiple ways to talk back to its command-and-control server (C2). Its primary method is a fixed address, but if that fails, it can fall back on a Domain Generation Algorithm (DGA) to create new addresses, or even use the decentralized BitTorrent Distributed Hash Table (DHT) network to hide its location.

The malware uses a unique code phrase, “LOLlolLOL”, as a starting identifier in the DHT network. By scanning the decentralized network for other nodes (infected machines or attacker-controlled servers) with this exact prefix, the bots can find each other and secretly share their C2 configuration. Researchers found over 60 different nodes using this hidden prefix, confirming a large, actively managed botnet. The system is designed to be sneaky; even when all conditions are met, the infected bots are programmed to only share their secret settings about a third of the time, dramatically reducing network noise and making it harder for security teams to map the full network.

A “Patch Now” Global Crisis

The sheer scale of this threat is staggering. The Shadowserver Foundation reported finding over 165,000 unique IP addresses and 644,000 domains containing the vulnerable code as of December 8, 2025. The United States is by far the hardest hit, accounting for nearly 100,000 vulnerable instances.

The pool of attackers is also rapidly growing. Beyond the initial reports, other security firms, like Palo Alto Networks Unit 42, have linked this exploitation to previously known campaigns, including the delivery of malware like EtherRAT and BPFDoor. Experts have confirmed that more than 15 separate groups are now actively abusing React2Shell, ranging from low-skill opportunists deploying cryptominers and Mirai bots to highly skilled, likely state-sponsored actors.

A senior director of threat intelligence at Rapid7 stressed that this is a “patch-now situation” because the attacks are happening everywhere simultaneously. There are also confirmed indications that tools previously used by major ransomware organizations are being adapted to exploit this flaw.

Organizations are strongly advised to update any systems using the affected component libraries—react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack—immediately. Given the ease of exploitation and the severe consequences of a successful attack, security experts warn that this vulnerability is likely to be exploited for a long time, making quick detection and patching essential for survival.