EarlyNarratives
Pricing
Start free trialSign in
Start free trialSign in
Signal

React2Shell vulnerability exploited in large-scale credential harvesting campaign

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-04-02 19:30 UTCUpdated 2026-04-03 19:10 UTC
rss
cveexploitsmalwareincident_response
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
BackEvidence (2)Get the free brief by emailStart free trial
No card needed for the free brief.
Evidence trail (top sources)
top sources (2 domains)domains are deduped. counts indicate coverage, not truth.
2 top sources shown
limited source diversity in top sources
View all evidence
Overview

A threat group exploiting the four-month-old React2Shell vulnerability has compromised over 750 systems to steal credentials, tokens, and keys at scale.

Entities
Cisco SystemsAWSMicrosoft AzureOpenAIAnthropicNvidiaOpenRouterTavily
Score total
1.01
Momentum 24h
2
Posts
2
Origins
2
Source types
1
Duplicate ratio
0%
Why now
  • The React2Shell vulnerability is four months old but still actively exploited.
  • Researchers recently discovered an exposed attacker dashboard revealing stolen data.
  • Over 750 systems have been compromised, indicating rapid campaign growth.
Why it matters
  • React2Shell exploits enable large-scale theft of cloud credentials and tokens.
  • Exposed attacker dashboard reveals the scale and sophistication of the campaign.
  • Unpatched React servers remain vulnerable to automated scanning and compromise.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: medium
Recurring claims
  • React2Shell vulnerability is being actively exploited to harvest credentials at scale.
How sources frame it
  • Cisco Talos Researchers: neutral
All evidence
All evidence
Security lapse lets researchers view React2Shell hackers’ dashboard
CSO Online · csoonline.com · 2026-04-03 19:10 UTC
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
SecurityWeek · securityweek.com · 2026-04-03 10:55 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -
Showing 2 / 0
Top publishers (this list)
  • CSO Online (1)
  • SecurityWeek (1)
Top origin domains (this list)
  • csoonline.com (1)
  • securityweek.com (1)