Hackers Exploit React2Shell via Telegram Bot, Breaching Over 900 Companies

Attack Exposure

An internet‑exposed server revealed a large‑scale automated campaign using the “Bissa scanner” tool. Threat actors combined automated scanning, AI‑assisted code generation, and Telegram bots to compromise more than 900 organizations.

Vulnerability Exploitation Mechanism

The campaign targets a high‑severity Next.js vulnerability, CVE‑2025‑55182 (named “React2Shell”). The flaw enables extraction of .env files that often contain passwords, API keys, and tokens. Attackers follow a structured workflow: discovery, exploitation, grading, and selective exfiltration based on data value. Financial institutions, cryptocurrency platforms, and retail firms were reported as the most affected sectors.

Automated Attack Infrastructure

DFIR analysts recovered over 13,000 files across more than 150 directories on the compromised host. The files constitute a dedicated pipeline that includes exploit scripts, temporary victim data, credential collection, and privilege verification, all executed on a single machine. The pipeline was orchestrated with Claude Code and OpenClaw, providing large‑scale automation and workflow management.

Telegram Real‑Time Notification System

The Bissa scanner embeds a hard‑coded token for the Telegram bot @bissapwned_bot. Each successful React2Shell exploitation triggers an immediate, structured alert sent to the attacker’s private Telegram chat. The bot’s identity ( @BonJoviGoesHard, display name “Dr. Tube”) includes victim identifier, cloud environment status, privilege level, and available keys.

Credential Collection Scale

From tens of thousands of harvested .env files, the attackers extracted credentials for:

AI services: Anthropic, OpenAI

Cloud platforms: AWS, Azure

Payment systems: Stripe, PayPal

Databases: MongoDB, Supabase

Between 2026‑04‑10 and 2026‑04‑21, more than 65,000 archive entries were uploaded to a Filebase S3‑compatible bucket named bissapromax, demonstrating the pipeline’s automation and persistence.

Telegram Bot Notification Mechanism Details

Each alert from @bissapwned_bot contains a structured header (message ID, date, sender username, bot user ID) and a body formatted with emoji delimiters for rapid parsing. Analysts identified two active bots: @bissapwned_bot – delivers scan‑result alerts. @bissa_scan_bot – driven by OpenClaw for AI‑controlled scanning.

Metadata queries of the Telegram API showed both bots were active, communicating with a single operator in a private chat, with activity traceable to September 2025.

Defensive Recommendations

Patch aggressively: Apply critical CVE fixes promptly.

Migrate credential management: Replace .env files with dedicated secret‑management solutions that inject short‑lived, least‑privilege credentials at runtime.

Control outbound traffic: Route application‑layer outbound connections through logged proxies to block silent communication with attacker infrastructure.

Operationalize credential security: Rotate secrets regularly, scan code and build artifacts for embedded keys, and deploy honey‑token credentials to trigger alerts.

Source: “Hackers Use Telegram Bots to Track 900+ Successful React2Shell Exploits”, https://cybersecuritynews.com/hackers-use-telegram-bots/