React2Shell (CVE-2025-55182) is a critical, pre-auth remote code execution weakness in React Server Components that impacts multiple React versions used across the React 19 ecosystem.
WXA Internet Abuse Signal Collective (WXA IASC) is inaugurating To Cache A Predator, a threat research series that correlates global telemetry, enrichment datasets, and honeypot observations to map attacker infrastructure and tactics tied to CVE-2025-55182, also known as “React2Shell.”
Episode one consolidates indicators of a coherent campaign: fast weaponization after public disclosure, persistent scanning of Next.js paths, and infrastructure concentration around a small set of high-leverage nodes.
Public advisories describe exploitation as possible via crafted network requests that abuse how server-side component payloads are parsed, urging defenders to patch quickly and monitor for exploitation attempts.
Early visibility via Niihama
WXA IASC’s Niihama honeypots observed exploitation attempts within roughly 20 hours of the public disclosure in early December 2025, giving early capture of exploit mechanics and attacker fingerprinting.
After the initial spike, Niihama continued to log steady React2Shell and Next.js-focused scanning through early February 2026, including probing of /_next/server and large-scale hunting across /_next/static/*.
Across WXA IASC NetFlow-derived telemetry, two Netherlands-hosted nodes stand out as the campaign’s core pivots, each interacting with millions of counterparties over the observation window.
GreyNoise independently reported the same two IPs 193.142.147[.]209 and 87.121.84[.]24 generated 56% of observed React2Shell exploitation traffic in a seven-day slice (Jan 26 to Feb 2, 2026).
In that GreyNoise window sensors recorded 1,419,718 exploitation attempts targeting CVE-2025-55182, with 193.142.147[.]209 responsible for 488,342 sessions (34%) and 87.121.84[.]24 for 311,484 sessions (22%).
WXA IASC attributes much of the high-fidelity React2Shell activity to a novel, single-operator toolkit dubbed ILOVEPOOP, operating across nine scanner nodes on multiple hosting providers.
The toolkit is fingerprinted by consistent headers and behavior Next-Action: x, X-Nextjs-Request-Id: poop1234, per-attempt X-Nextjs-Html-Request-Id: ilovepoop_*, a repeatable six-path Next.js sweep, and a shared rotation of User-Agents suggesting a reusable exploit stack rather than random probing.
Niihama also recorded follow-on hostile behavior (SMB/RDP/SSH/HTTP attacks and credential abuse) from IPs linked to the same exploit infrastructure, supporting an “early warning” interpretive frame: infrastructure overlap plus behavior overlap indicates risk, not confirmed compromise.
What defenders should do now
- Patch affected React/Next.js deployments tied to CVE-2025-55182 and validate that mitigations are actually deployed in production.
- Hunt in reverse proxy, WAF, and app logs for Server Actions–like POST patterns and suspicious Next.js internal headers (including the ILOVEPOOP canary IDs), then pivot to source IP, ASN, and hosting provider patterns.
- Treat these findings as evidence of hostile activity and scanning pressure; prioritize exposure reduction, least privilege, and rapid containment plans for internet-facing systems.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
