Hackers Exploit React2Shell Vulnerability to Deploy Miners and Botnets Worldwide

The React2Shell flaw stems from insecure deserialization in the Flight protocol that powers client‑server communication for React Server Components. By accepting unchecked data, vulnerable versions of react‑server‑dom‑webpack, –parcel and –turbopack allow attackers to inject arbitrary bytecode, achieving remote code execution without authentication. This class of vulnerability is especially dangerous in modern micro‑service architectures where containers often run with elevated privileges, providing a low‑friction path for malicious actors to compromise production workloads.

Since its first detection in December 2025, threat groups have weaponized the flaw to deliver a sophisticated malware stack. Early infections focused on Russian insurance, e‑commerce and IT firms, where actors deployed XMRig cryptocurrency miners alongside the Rust‑based RustoBot botnet, capable of high‑volume UDP/TCP floods. Subsequent campaigns broadened the payload repertoire to include Kaiji, Sliver implants, CrossC2, Tactical RMM and EtherRAT, turning compromised servers into persistent command‑and‑control hubs and DDoS launch platforms. The blend of cryptojacking and botnet capabilities maximizes financial return while obscuring attribution.

Mitigation hinges on prompt patch adoption; security updates for the affected packages arrived in versions 19.0.1, 19.1.2 and 19.2.1, yet many enterprises lag due to complex dependency chains and container image inertia. Organizations should audit their software bill of materials, enforce strict input validation, and employ runtime protection such as Web Application Firewalls that can detect anomalous deserialization patterns. Continuous monitoring for miner binaries, unusual outbound traffic, and DNS tunneling can further reduce dwell time. As React continues to dominate front‑end development, the industry must prioritize secure coding practices and rapid supply‑chain response to prevent similar exploits from resurfacing.