Telegram bot sending real-time alerts for successful React2Shell exploits and stolen credentials from compromised servers

Hackers are using automated tools and Telegram bots to track over 900 successful exploits of a critical Next.js vulnerability, known as React2Shell (CVE-2025-55182). The campaign targeted internet-facing applications to extract sensitive data from exposed .env files, including API keys, passwords, and access tokens.

Hackers Use Telegram Bots to Track React2Shell Exploits Targeting 900+ CompaniesHackers Use Telegram Bots to Track React2Shell Exploits Targeting 900+ Companies

Researchers found a highly organized attack setup using a tool called “Bissa scanner,” which automated scanning, exploitation, and data collection. Each successful breach triggered real-time alerts via Telegram bots, allowing attackers to instantly monitor compromised systems and prioritize high-value targets like financial services, crypto platforms, and retail companies.

The operation highlights the growing scale of automated cyberattacks and the risks of exposed credentials in web applications. Organizations are urged to patch vulnerabilities quickly, secure secrets using dedicated managers, and monitor unusual outbound activity to prevent large-scale data breaches.


NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Total Security Multi Device