Active React2Shell exploitation uses malicious NGINX configurations to hijack web traffic, targeting Baota panels, Asian TLDs, and government domains.