React2Shell: Rapid, Large-Scale Exploitation Delivers Reverse Shells and XMRig Miners

A severe server-side vulnerability in React 19 has moved from disclosure to active exploitation at internet scale, producing a concentrated wave of compromise attempts. The flaw permits unauthenticated remote code execution via crafted HTTP POST requests to server-oriented React endpoints; within days of public exploit availability attackers weaponized the code into operational campaigns. Security telemetry recorded more than 1.4 million attempts within seven days, with over a thousand distinct source IPs participating and a small number of hosts generating the bulk of interactions — two IPs alone produced roughly 34% and 22% of observed sessions respectively. Successful interactions frequently yielded interactive reverse shells that attackers used to fetch and run XMRig miners from staging infrastructure, prioritizing cryptomining and interactive control over immediate large-scale data theft. Analysis of the attacker infrastructure revealed long-lived staging hosts with a history of malicious activity and adjacent address space distributing other botnet payloads such as Mirai-family binaries, indicating reuse and persistence across campaigns. Observed attacker behaviors mirror patterns seen in other rapid-exploitation incidents: quick adaptation of public exploit code, use of lightweight second-stage loaders, and operational steps to blunt detection. Because server-capable front-end features and developer services can expose unexpected attack surfaces, defenders should also review internet-reachable development tooling and package resolution practices — for example, ensure build/dev services do not bind to non-local interfaces and verify provenance and integrity of Git/tarball dependencies. Complementary telemetry from related campaigns suggests actors often chain techniques such as disabling endpoint protections, opening bidirectional command channels, and fetching compact compiled payloads; defenders should hunt for scripts that tamper with EDR, unexpected outbound fetches to staging hosts, and anomalies in package-install logs. Patching remains essential but is not sufficient by itself: temporary virtual mitigations (WAF rules, filtering or blackholing high-volume source addresses, and ACLs), rapid artifact searching for XMRig indicators and unusual process launches, and forensic containment of persistent staging hosts are required to prevent re-infection. Hosting providers and cloud operators should prioritize discovery and isolation of vulnerable deployments, block or throttle abusive sources where feasible, and share indicators with peers and vendors to accelerate detection coverage. The incident underscores the operational risk of making developer- or server-capable features internet-accessible and will likely prompt both maintainers and operators to tighten defaults and harden dependency management to reduce similar attack avenues.