Hackers are increasingly targeting NGINX web servers by exploiting the React2Shell vulnerability (CVE-2025-55182) found in the React 19 library. Researchers from Datadog Security Labs report that these threat actors use compromised access to redirect web traffic for malicious activities. The focus is on sites managed with Boato Panel, particularly those linked to Asian organizations and Chinese hosting services. The risks include malware installation on users' devices and traffic diversion to fraudulent pages designed to harvest login credentials. Ryan Simon, a senior security researcher at Datadog, explains that this tactic not only undermines user security but also damages the reputation of affected websites. NGINX, a key player in modern web infrastructure, relies on configuration files for traffic routing. If these files are poorly configured or breached, attackers can hijack traffic. The attack strategy has evolved; initial exploits involved cryptomining, but hackers have shifted to targeting web servers directly for more effective traffic manipulation. The recent consolidation of exploitation attempts indicates a focused attack pattern, with just two IP addresses responsible for 56% of incidents, down from over a thousand sources. Simon emphasizes the importance of maintaining configuration file integrity and applying the latest security patches. Monitoring resources like the NGINX security advisory site can help prevent such breaches. This trend highlights a regression to older hacking methods, as attackers adapt to stronger user defenses like password managers and multi-factor authentication.