Attackers Use New Tool to Scan for React2Shell Exposure
Dark Reading
by Nate NelsonFebruary 20, 2026
AI-Generated Deep Dive Summary
Attackers are leveraging a sophisticated new toolkit named "ILovePoop" to exploit the React2Shell vulnerability, targeting high-value industries such as government, defense, finance, and healthcare. This remote code execution (RCE) flaw, identified as CVE-2025-55182, allows attackers to gain full control of vulnerable web servers with a single unauthenticated request. The threat actors behind this campaign have been scanning tens of millions of IP addresses globally, specifically targeting critical infrastructure and major corporations in the U.S., including the Department of Defense, state governments, and financial institutions like JPMorgan Chase and Goldman Sachs.
The React2Shell vulnerability was first disclosed in December 2025 and has since evolved from automated, widespread attacks to more nuanced and targeted campaigns. Initially, attackers used cryptominers and botnets to exploit the flaw, often without distinguishing between operating systems. However, over time, the attacks have become more sophisticated, with groups like PeerBlight employing advanced techniques such as using the BitTorrent DHT network for command-and-control (C2) communication, ensuring resilience against domain takedowns.
The severity of React2Shell is underscored by its CVSS score of 10 out of 10, making it one of the most critical vulnerabilities of the year. State-sponsored actors from China, Iran, and North Korea have also been implicated in exploiting this flaw, highlighting its potential impact on national security. The ongoing exploitation of React2Shell underscores the importance of timely patching and highlights the need for organizations to prioritize vulnerability management to mitigate risks of downtime, data breaches, and potential espionage.
Verticals
securitytech
Originally published on Dark Reading on 2/20/2026