TheDrPinkyFeb 4
GreyNoise

Two IPs now generate 56% of all CVE-2025-55182 exploitation traffic.

One deploys cryptominers. The other opens reverse shells.

We dug into the infrastructure. What we found goes back to 2020.

https://www.greynoise.io/blog/react2shell-exploitation-consolidates

React Server Components Exploitation Consolidates as Two IPs Generate Majority of Attack Traffic

Two months after CVE-2025-55182 was disclosed on December 3, 2025, exploitation activity targeting React Server Components has consolidated significantly.

Feb 3 at 9:04pmWeb