Hackers Exploit Critical React2Shell Vulnerability via Telegram Bots
Key Takeaways A single threat actor compromised over 900 organizations globally by exploiting the critical React2Shell vulnerability (CVE-2025-55182) in Next.js web applications. The attacker...
Key Takeaways
- A single threat actor compromised over 900 organizations globally by exploiting the critical React2Shell vulnerability (CVE-2025-55182) in Next.js web applications.
- The attacker utilized an advanced setup involving automated tools, AI assistance (Claude Code, OpenClaw), and Telegram bots for real-time exploit notifications and credential harvesting.
- The campaign, identified by The DFIR Report, focused on extracting sensitive environment variables (.env files) containing API keys, passwords, and access tokens from affected systems.
- Financial, cryptocurrency, and retail sectors were heavily targeted, with tens of thousands of sensitive credentials exfiltrated and stored in cloud buckets.
- Organizations must prioritize patching, implement robust secret management, and enforce strict network egress controls to mitigate similar threats.
Sophisticated Threat Actor Leverages React2Shell Vulnerability, Telegram Bots to Compromise 900+ Companies
A recently exposed server has unveiled the operational intricacies of a single threat actor responsible for breaching over 900 companies worldwide. This sophisticated campaign, detailed by researchers at The DFIR Report, combined automated scanning, AI-driven assistance, and real-time alerts via Telegram bots to systematically exploit a critical Next.js vulnerability.
Table Of Content
The core of the attack leveraged a severe flaw in Next.js, identified as CVE-2025-55182 and dubbed “React2Shell” by security researchers. This vulnerability enabled the attacker to target millions of internet-facing web servers, specifically to exfiltrate sensitive environment (.env) files. These files frequently house critical information such as passwords, API keys, and access tokens, making their compromise highly damaging.
Far from indiscriminate scanning, the threat actor implemented a meticulously structured workflow. This process involved identifying vulnerable targets, exploiting the React2Shell flaw, and then ranking victims based on the potential value of the stolen data. Sectors with high-value digital assets, including financial institutions, cryptocurrency platforms, and retail companies, bore the brunt of these targeted attacks.
Uncovering the Attack Infrastructure
Analysts from The DFIR Report discovered the full scope of this campaign after encountering an exposed server containing over 13,000 files across more than 150 directories. This was no mere data dump; the server revealed a highly organized operation, complete with scripts dedicated to exploitation, victim data staging, credential harvesting, and validating access, all managed from a central location.
Further analysis of the exposed host indicated the attacker’s use of advanced tools, including Claude Code and OpenClaw, to facilitate troubleshooting and streamline the workflow. This integration of AI-assisted capabilities provided an unusual level of automation and efficiency, distinguishing this campaign from typical mass exploitation efforts.
Telegram Bots: The Attacker’s Real-Time Command Center
A particularly revealing aspect of the operation was the attacker’s ingenious use of Telegram as a live notification system. The “Bissa scanner” framework, a key component of the attack, contained hardcoded runner scripts linked to a Telegram bot token for @bissapwned_bot.
Upon each successful React2Shell exploit, @bissapwned_bot would send an immediate, structured alert directly to the attacker’s private Telegram chat. The operator, publicly identified by the Telegram username @BonJoviGoesHard and display name “Dr. Tube,” received concise, single-line messages. Each alert contained crucial details about the victim, including their identity, cloud posture, privilege levels, and discovered secrets. This real-time intelligence enabled the attacker to triage hundreds of breaches efficiently, directly from a messaging application.
The volume of exfiltrated credentials was substantial. Across tens of thousands of .env files, the attacker amassed keys and tokens for a wide array of services. These included AI providers like Anthropic and OpenAI, major cloud platforms such as AWS and Azure, payment gateways including Stripe and PayPal, and databases like MongoDB and Supabase. Between April 10 and April 21, 2026, the operator uploaded over 65,000 archived file entries to a cloud storage bucket named “bissapromax” via S3-compatible Filebase, highlighting the continuous and automated nature of the data collection pipeline.
Operational Sophistication and Longevity
The Telegram alerting system demonstrated a high degree of operational maturity. Each confirmation message from @bissapwned_bot featured a structured header with a message ID, date, sender username, and bot user ID. The message body, formatted as a single line with emoji-delimited fields, provided an instant, digestible summary of each victim, eliminating the need for manual server access. This design choice underscored the attacker’s priority for speed, clarity, and minimal effort in reviewing results.
The DFIR Report analysts confirmed the existence of at least two active bots: @bissapwned_bot for exploit alerts and @bissa_scan_bot, integrated into the AI-control subsystem powered by OpenClaw. Metadata lookups against the Telegram API verified both bots were operational at the time of discovery. The destination chat for the alerts resolved to a private conversation with a single human operator, confirming a solo, centrally managed campaign. This significant infrastructure investment suggests a long-running operation, with storage phase names tracing back to September 2025.

The illustration above visually represents how @bissapwned_bot delivered real-time exploit notifications directly to the operator’s Telegram chat, detailing each confirmed CVE-2025-55182 compromise.
What You Should Do
- Aggressive Patching and Monitoring: Ensure all Next.js deployments and other web applications are promptly patched for known vulnerabilities, especially critical CVEs like CVE-2025-55182. Maintain subscriptions to vendor advisories to stay informed of new threats.
- Secure Secret Management: Migrate all production credentials, API keys, and access tokens out of .env files. Instead, utilize dedicated secret management solutions to inject these sensitive values at runtime. Implement short lifetimes and narrowly scoped permissions for all credentials.
- Control Outbound Network Traffic: Implement strict egress filtering and control outbound traffic from application tiers through a logged proxy. This measure can prevent compromised hosts from silently communicating with attacker infrastructure and exfiltrating data.
- Regular Credential Rotation: Establish and enforce a regular schedule for rotating all sensitive credentials.
- Scan for Embedded Secrets: Conduct frequent scans of source code and built artifacts to detect any inadvertently embedded secrets.
- Deploy Canary Tokens: Integrate canary tokens into sensitive areas of your infrastructure. These tokens are designed to trigger immediate alerts upon unauthorized access, providing early warning of a potential breach.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.