REACT2SHELL: EXPLOITATION IN THE WILD

*Executive summary:* This individual research details active exploitation of CVE-2025-55182 (React2Shell), a pre-auth RCE in React Server Components, and maps attacker infrastructure and indicators — including an open directory containing a 'next_target' list of high-profile domains, reuse of a distinctive multipart boundary string across hundreds of hosts, and deployment of sex.sh scripts that install XMRIG Monero miners; the report includes IPs, URLs, and wallet addresses and advises patching affected Next.js/React components.