Bissa Scanner exposes AI credential farms

A credential-harvesting operation called Bissa Scanner came into view after investigators found one of its servers exposed on the open internet. (thedfirreport.com) The exposed host held code, logs, victim data, Telegram alert streams, and operator transcripts that showed Claude Code and OpenClaw being used to troubleshoot and refine the workflow. The DFIR Report published the findings on April 22, 2026. (thedfirreport.com) Credential harvesting is the theft of usernames, passwords, keys, and tokens that let attackers sign in as a victim. In this case, the operation used a web bug called React2Shell to break into internet-facing apps and then pull secrets from the compromised servers. (blog.talosintelligence.com) React2Shell, tracked as CVE-2025-55182, is a pre-authentication remote-code-execution flaw in React Server Components that was publicly disclosed on December 3, 2025. The React team rated it CVSS 10.0 and said affected packages were fixed in versions 19.0.1, 19.1.2, and 19.2.1. (react.dev) Cisco Talos said the broader campaign it tracks as UAT-10608 had compromised at least 766 hosts as of April 2, 2026. Talos said about 701 of those hosts had database credentials, about 599 had Secure Shell private keys, and 196 had Amazon Web Services credentials. (blog.talosintelligence.com) The Bissa Scanner server showed a larger pipeline wrapped around that access. DFIR said the setup could scan millions of targets, logged more than 900 confirmed compromises, and stored more than 13,000 files across 150-plus directories tied to exploitation, staging, validation, and operator workflow management. (thedfirreport.com) The stolen material was not limited to passwords. Investigators said the operation collected tens of thousands of `.env` files, which are configuration files that often hold application secrets, including credentials for artificial intelligence providers, cloud services, payment systems, messaging tools, and databases. (thedfirreport.com) DFIR said the operator did not treat every victim the same way after the initial break-in. Artifacts showed the actor scored and validated access, then focused deeper follow-on activity on organizations in financial services, cryptocurrency, and retail. (thedfirreport.com) The AI angle was not that a model found the vulnerability first. Investigators said AI tools were embedded in the operator’s day-to-day work to help with orchestration, debugging, and refining the collection pipeline after access had already been gained. (thedfirreport.com) React2Shell had already drawn government attention before this server was found. The Cybersecurity and Infrastructure Security Agency added CVE-2025-55182 to its Known Exploited Vulnerabilities catalog after active exploitation was confirmed in the wild. (cisa.gov) What the exposed server changed was visibility: instead of seeing only malware on a victim machine, investigators could watch the operator’s full assembly line. The picture that emerged was a credential-theft shop built to sort, score, and reuse stolen access at scale. (thecyberexpress.com)