A single operator used Bissa Scanner, AI tools and a Telegram bot to breach over 900 companies worldwide through the React2Shell vulnerability CVE-2025-55182. They stole API keys from platforms like Anthropic, OpenAI, AWS and Stripe and received real-time alerts on Telegram and all from within a single messaging app.
When a single operator sits on their phone and receives real-time notifications of hacks targeting hundreds of companies, it has become a new and frightening normal in cybersecurity. The DFIR Reports investigators discovered an exposed server that housed the entire machinery of the React2Shell CVE-2025-55182 operation.
An automated pipeline scanned millions of targets and confirmed over 900 successful exploits. Logs revealed a complete workflow of secret harvesting, hit scoring, Telegram alerting and access validation.The campaign went public on April 24, 2026 and shook the cybersecurity community.
CVE-2025-55182 which researchers call React2Shell was publicly disclosed on December 3, 2025. This is an unauthenticated remote code execution flaw in React Server Components with a CVSS score of 10.0. An attacker could execute arbitrary code on the server simply by sending a crafted HTTP request without any authentication.
This vulnerability exists in the default configuration, meaning any Next.js application created with the standard create-next-app can be exploited without any extra code changes.Soon after the disclosure, China-nexus state-sponsored groups started exploitation in the streets, but the Bissa scanner operator brought a different level of sophistication.
The Bissa scanner platform combined React2Shell exploitation with internet-scale multi-victim staging and validation. This wasn’t just a simple data dump, but a professionally organized operation that included exploitation scripts and victim triage credential harvesting and access validation all running in one place.
The scanner takes targets from an acquirer file, defines the exploit type from the lease file, and then enumerates .env files, cloud metadata, Kubernetes service account context and cryptocurrency wallet contents, and database credentials.
Between April 10 and April 21, 2026 the operator uploaded more than 400 env-batch ZIP archives, processed more than 30,000 distinct .env filenames and the deposited more than 65,000 archived file entries into the bissapromax bucket of Filebase S3-compatible storage.
Real-Time Phone Based Hacking
A Telegram bot token was hardcoded within the runner scripts, which was linked to @bissapwned_bot. Upon every confirmed CVE-2025-55182 hit the bot would send a structured alert directly to the operators private Telegram chat, containing the victim’s identity runtime context, privilege level, cloud posture and recoverable secrets and all on a single line in emoji-delimited format. The operator could triage hundreds of exploitation events directly from their mobile phone.
The operators public Telegram username was @BonJoviGoesHard and display name was Dr. Tube One guy, one phone, data from over 900 companies. Transcripts recovered on the server revealed that the operator used Cloud Code and OpenClaw to read the scanner codebase, troubleshoot pipeline failures and refine the collection pipeline. This is the first time such direct and documented use of AI coding assistants has been encountered in a mass exploitation campaign.
The list of stolen credentials was very long and dangerous. From tens of thousands of .env files and the operator harvested AI provider API keys from Anthropic and OpenAI and cloud credentials from AWS and Azure, payment system tokens from Stripe and PayPal and database credentials from MongoDB and Supabase. Companies in the financial, cryptocurrency and the retail sectors were most affected.
Some victim-specific data clusters included financial records, payroll data, HR information, CRM data, and business-sensitive communications which meaning not just credentials but entire business intelligence was compromised.
DFIR Report, Cisco Talos, Microsoft, and Google are all aligned on the same immediate priorities: immediately patch CVE-2025-55182 in React and Next.js deployments, rotate all API keys and database credentials audit suspicious POST requests in application logs and implement secrets scanning in CI/CD pipelines so that .env files don’t become a permanent attack surface.
