Two months after a critical vulnerability was disclosed in React Server Components, researchers warn of a significant change in threat activity targeting the flaw. 

The original vulnerability, tracked as CVE-2025-55182, allows an unauthenticated attacker to achieve remote code execution due to unsafe deserialization of payloads. 

The initial wave of attacks in December led to hundreds of systems being compromised as state-linked threat groups and other actors engaged in widespread exploitation. The vulnerability, dubbed React2Shell, has been targeted in a wide range of industries since it was discovered in late November.

Researchers from GreyNoise on Monday reported a distinctive change over the prior seven days, as more than half of the threat activity now emanated from only two IP addresses, according to a blog post. Before the change, there were 1,083 unique sources linked to threat activity, according to researchers.

GreyNoise said its sensors detected more than 1.4 million attempts to exploit CVE-2025-55182 during the seven-day period.

Researchers warned the exploitation appears to be focused on the developer community. 

“We’re seeing heavy targeting of the ports that software development servers run on,” researchers from GreyNoise told Cybersecurity Dive. “Organizations that expose development infrastructure to the internet are at risk." 

One of the two new sources “retrieves cryptomining binaries from staging servers,” while the second “opens reverse shells to the scanning IPs,” according to the blog. It is not immediately clear whether the new activity is from two distinct actors or a single actor using compartmentalized infrastructure. 

GreyNoise said that organizations that haven’t yet applied patches should assume they have been targeted.

Separately, React late last month disclosed new denial of service vulnerabilities, tracked as CVE-2026-23864.