VERY IMPORTANT

A critical vulnerability in React Server Components, dubbed React2Shell, was disclosed on December 3, 2025. Within days, multiple threat actors exploited this flaw, leading to simultaneous compromises of affected systems. The case study reveals a rapid progression from initial coin miner installations to the deployment of various malware types, including RATs and backdoors. The timeline shows attacks beginning on December 5, with website defacement occurring by December 7. Notably, the incident involved the use of SNOWLIGHT, HISONIC backdoor, CrossC2 RAT, and the abuse of Global Socket tool. The study emphasizes the speed at which attackers exploit new vulnerabilities and the importance of swift patching and thorough post-compromise investigations.