React/Next.js Server Actions deserialisation ("React2Shell") — weaponised by PCPJack worm
cve · CVE-2025-55182
Coverage timeline
3
first 2026-05-10 → last 2026-06-17
Briefs
3
3 distinct
Sources cited
32
20 hosts
Sections touched
0
—
Co-occurring entities
0
no co-occurrence
Story timeline
- 2026-05-19CTI Daily Brief — 2026-05-19
- 2026-05-10CTI Daily Brief — 2026-05-10
- 2026-W19CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026)
Source distribution
- attack.mitre.org5 (16%)
- nvd.nist.gov5 (16%)
- thehackernews.com4 (12%)
- isc.sans.edu2 (6%)
- bleepingcomputer.com1 (3%)
- checkmarx.com1 (3%)
- dea.gov1 (3%)
- euvd.enisa.europa.eu1 (3%)
- other12 (38%)
External references
All cited sources (32)
- sentinelone.comprimaryinlineSentinelLabshttps://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/
- attack.mitre.orginlineT1078https://attack.mitre.org/techniques/T1078/
- attack.mitre.orginlineT1078.002https://attack.mitre.org/techniques/T1078/002/
- attack.mitre.orginlineT1133https://attack.mitre.org/techniques/T1133/
- attack.mitre.orginline`T1485`https://attack.mitre.org/techniques/T1485/
- attack.mitre.orginlineT1486https://attack.mitre.org/techniques/T1486/
- bleepingcomputer.cominlineBleepingComputer, 2026-06-05https://www.bleepingcomputer.com/news/security/suspicious-polyfill-login-prompts-pop-up-on-toshiba-muji-websites/
- checkmarx.cominlineCheckmarx, 2026-05-12https://checkmarx.com/blog/ongoing-security-updates/
- dea.govinlineUS DEA, 2026-05-13https://www.dea.gov/press-releases/2026/05/13/german-citizen-charged-laundering-funds-linked-prominent-darknet
- euvd.enisa.europa.euinlineENISA EUVD, 2026-06-18https://euvd.enisa.europa.eu/enisa/EUVD-2026-37966
- isc.sans.eduinlineSANS Internet Storm Center, 2026-05-25https://isc.sans.edu/diary/33016
- isc.sans.eduinlineSANS Internet Storm Center, 2026-05-18https://isc.sans.edu/diary/rss/32994
- nvd.nist.govinlineCVE-2025-55182https://nvd.nist.gov/vuln/detail/CVE-2025-55182
- nvd.nist.govinlineCVE-2025-29927https://nvd.nist.gov/vuln/detail/CVE-2025-29927
- nvd.nist.govinlineCVE-2025-48703https://nvd.nist.gov/vuln/detail/CVE-2025-48703
- nvd.nist.govinlineCVE-2025-9501https://nvd.nist.gov/vuln/detail/CVE-2025-9501
- nvd.nist.govinlineCVE-2026-1357https://nvd.nist.gov/vuln/detail/CVE-2026-1357
- ox.securityinlineOX Security, 2026-05-17https://www.ox.security/blog/new-actors-deploy-shai-hulud-clones-teampcp-copycats-are-here/
- pgadmin.orginlinepgAdmin, 2026-06-18https://www.pgadmin.org/docs/pgadmin4/9.16/release_notes_9_16.html
- security-hub.ncsc.admin.chinlineNCSC-CH Security Hub #12558, 2026-05-12https://security-hub.ncsc.admin.ch/#/posts/12558
- security.cominlineBroadcom Security, 2026-05-18https://www.security.com/blog-post/fast16-nuclear-sabotage
- securitylabs.datadoghq.cominlineDatadog Security Labs static analysis, 2026-05-13https://securitylabs.datadoghq.com/articles/shai-hulud-open-source-framework-static-analysis/
- securityweek.cominlineSecurityWeek, 2026-05-08https://www.securityweek.com/pcpjack-worm-removes-teampcp-infections-steals-credentials/
- stepsecurity.ioinlineStepSecurity analysis, 2026-05-11https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
- tanstack.cominlineTanStack post-mortem, 2026-05-12https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
- thehackernews.cominlineThe Hacker News, 2026-05-18https://thehackernews.com/2026/05/four-malicious-npm-packages-deliver.html
- thehackernews.cominlineThe Hacker News, 2026-05-19https://thehackernews.com/2026/05/mini-shai-hulud-pushes-malicious-antv.html
- thehackernews.cominlineThe Hacker News, 2026-05-07https://thehackernews.com/2026/05/pcpjack-credential-stealer-exploits-5.html
- thehackernews.cominlineThe Hacker News, 2026-05-18https://thehackernews.com/2026/05/pre-stuxnet-fast16-malware-tampered.html
- therecord.mediainlineThe Record, 2026-05-14https://therecord.media/dream-market-admin-arrested-in-germany
- wiz.ioinlineWiz Blog, 2026-05-11https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised
- zetter-zeroday.cominlineKim Zetter / ZERO DAY, 2026-05-16https://www.zetter-zeroday.com/experts-confirm-the-fast16-malware-was-sabotaging-nuclear-weapons-tests-likely-in-iran/
Items in briefs about React/Next.js Server Actions deserialisation ("React2Shell") — weaponised by PCPJack worm
No parsed item heading or body matches this entity yet. Items match by exact CVE id (for CVE entities), by lead-segment substring of the title in the item heading or body, or by a distinctive anchor token from the title appearing in the item heading. Coverage that lives inside a broader section (no per-item heading) is captured by the Story timeline above.