Originally reported by BleepingComputer, Checkpoint Research, Malwarebytes Labs
TL;DR
Attackers are exploiting React2Shell (`CVE-2025-55182`) in Next.js applications for automated credential harvesting while QR code-based traffic violation scams target U.S. consumers. The European Commission confirmed a data breach through supply chain compromise.
Automated exploitation of React2Shell vulnerability in Next.js applications represents a high-severity threat due to the widespread deployment of these frameworks and the scalable nature of the attack campaign.
Threat actors are leveraging multiple attack vectors this week, from automated web application exploitation to social engineering via QR codes, while supply chain compromises continue impacting high-profile targets.
Security researchers have identified a large-scale automated campaign exploiting React2Shell (CVE-2025-55182) vulnerabilities in Next.js applications. The campaign focuses on systematic credential theft through automated exploitation techniques targeting vulnerable web applications built on the popular React framework.
The automated nature of these attacks represents a significant escalation in threat actor capabilities, allowing for scalable credential harvesting across multiple targets simultaneously. Organizations running Next.js applications should prioritize patching and implementing additional authentication controls.
Scammers have evolved traditional SMS phishing by incorporating QR codes into fake traffic violation notices. The campaign impersonates state courts across the United States, sending "Notice of Default" text messages that direct recipients to scan QR codes leading to fraudulent payment portals.
The scam demands $6.99 payments while harvesting personal and financial information from victims. The use of QR codes adds a layer of obfuscation, making it harder for recipients to immediately identify malicious URLs before scanning.
Security teams should educate users about QR code risks and implement scanning policies that require URL preview before navigation.
Check Point Research reports that the European Commission confirmed a data breach affecting its Europa.eu platform. The compromise occurred through a third-party exchange connected to the Trivy supply chain attack, highlighting the persistent threat posed by software supply chain vulnerabilities.
This incident underscores the cascading impact of supply chain compromises, where initial vulnerabilities in widely-used tools can lead to breaches across multiple organizations and government entities.
Threat intelligence providers continue tracking evolving attack patterns, with Malwarebytes Labs and Check Point Research publishing weekly summaries of significant security events. These reports provide security teams with consolidated views of the current threat landscape.
The consistent publication of threat intelligence bulletins reflects the high volume of security incidents requiring ongoing monitoring and response across multiple sectors.
Originally reported by BleepingComputer, Checkpoint Research, Malwarebytes Labs
