According to new information, a cyber espionage organization is preparing for attacks on significant industries. According to Anna Pham, senior hunt and response analyst at Huntress, "what's been most striking over the past couple of months is how the threat landscape around this vulnerability has evolved in layers." "Opportunistic, mostly automated exploitation—spray-and-pray campaigns using cryptominers and botnet payloads—dominated the first wave.

The fact that we were able to capture attackers executing Linux-specific payloads against Windows endpoints made it abundantly evident to us that the automation was not even distinguishing between target operating systems." Related: AI Agents Disregard Security Policies in "God-Like" Attack Machines According to Pham, the situation has not yet subsided after several months.

"React2Shell has been added to the arsenals of other botnets, and tens of thousands of vulnerable instances are still available online.

It examined over 37,000 networks, including: - NASA buildings The Department of Defense Intelligence Defense Information Systems Agency (DISA) and information systems The North Carolina and Vermont state governments The municipal administrations of San Diego, Boston, and Phoenix Major corporations of all kinds, such as Salesforce, Netflix, Visa, Paypal, and Disney; large financial institutions, such as the Bank of New York Mellon, Goldman Sachs, Santander US Capital Markets, and JPMorgan Chase; energy sector organizations, such as regional utilities; and potentially other industrial targets, NASA facilities The Defense Information Systems Agency (DISA) and the Department of Defense Intelligence Information System The North Carolina and Vermont state governments The large city governments of San Diego, Boston, and Phoenix financial institutions, such as Santander US Capital Markets, JPMorgan Chase, Goldman Sachs, and the Bank of New York Mellon; large companies of all types, such as Salesforce, Netflix, Visa, Paypal, and Disney; and energy sector organizations, such as regional utilities and perhaps other types of industrial targets Associated with:Attack on the Supply Chain Installs covertly Pinging a network does not equate to compromise, according to OpenClaw for Cline Users.

However, the researchers cautioned that in certain instances, this preliminary reconnaissance phase has come before actual attacks. In recent months, some IP addresses that were used to initiate React2Shell attacks first appeared in network telemetry, typically 45 days prior to the attack. ## Problems with React2Shell Patching It takes more than just clicking "Update" to fix a deeply ingrained vulnerability like React2Shell.

According to Pham, the vulnerable React framework Next.js has a dependency visibility issue.