Two hacking groups with ties to China have been observed weaponizing the newly disclosed security flaw in React Server Components (RSC) The vulnerability in question is CVE-2025-55182 (CVSS score:

10.0), aka React2Shell, which allows unauthenticated remote code execution.

Amazon said it identified infrastructure associated with Earth Lamia, a China-nexus group that was attributed to attacks exploiting a critical SAP NetWeaver flaw earlier this year. The attack efforts have also originated from infrastructure related to Jackpot Panda, which has primarily singled out entities that are either engaged in or support online gambling operations in East and Southeast Asia. The development comes as Cloudflare experienced a brief but widespread outage that caused websites and online platforms to return a "500 Internal Server Error" message.

It was not an attack; the change was deployed by our team to help mitigate the industry-wide vulnerability disclosed this week, the web infrastructure provider said in a statement Friday. The change made to how Cloudflar's Web Application Firewall parses requests caused Cloud flare's network to be unavailable for several minutes this morning, the company said. It has since emerged that a Chinese hacking contractor, I-Soon, may have been involved in the supply chain attack, citing infrastructure overlaps.

The observed activity involves attempts to run discovery commands (e.g., whoami), write files ("/tmp/pwned.txt"), and read files containing sensitive information ( e.g. "/etc/passwd"). It has been addressed in React versions

19.0.1, 19.1.2, and 19.2.3.