Massive Credential Theft Campaign Exploits React2Shell Flaw in Next.js Applications
Cybersecurity researchers at Cisco Talos have uncovered a large-scale automated credential theft campaign orchestrated by the hacker group UAT-10608, which has compromised over 700 servers worldwide. The attackers are exploiting CVE-2025-55182 (React2Shell), a critical remote code execution (RCE) vulnerability in React Server Components used by Next.js applications.
The flaw allows attackers to send maliciously crafted web requests to vulnerable servers, executing arbitrary commands without requiring authentication or user interaction. Once exploited, the attack deploys a malicious script that silently extracts sensitive data, including database credentials, SSH keys, AWS cloud tokens, Stripe payment keys, and GitHub access tokens.
To manage the stolen data, the threat actors use a custom web dashboard called the "NEXUS Listener", which recorded 766 compromised hosts in just 24 hours. The impact is severe:
- Over 90% of affected servers had database credentials stolen.
- Nearly 80% lost private SSH keys, enabling lateral movement across networks.
- Stolen cloud credentials could allow attackers to hijack entire cloud environments.
- Compromised GitHub tokens risk malicious code injections into software updates.
The campaign highlights the urgent need for organizations using Next.js to patch the React2Shell vulnerability and rotate exposed credentials. The stolen data provides attackers with persistent access to critical systems, posing long-term security risks.
Source: https://cybersecuritynews.com/700-next-js-hosts-exploited/
Amazon Web Services (AWS) cybersecurity rating report: https://www.rankiteo.com/company/amazon-web-services
Vercel cybersecurity rating report: https://www.rankiteo.com/company/vercel
GitHub cybersecurity rating report: https://www.rankiteo.com/company/github
Stripe cybersecurity rating report: https://www.rankiteo.com/company/stripe
"id": "AMAVERGITSTR1775204764",
"linkid": "amazon-web-services, vercel, github, stripe",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'location': 'Worldwide', 'type': 'Servers'}],
'attack_vector': 'Remote Code Execution (RCE)',
'data_breach': {'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Credentials, SSH keys, cloud '
'tokens, payment keys, access '
'tokens'},
'description': 'Cybersecurity researchers at Cisco Talos have uncovered a '
'large-scale automated credential theft campaign orchestrated '
'by the hacker group UAT-10608, which has compromised over 700 '
'servers worldwide. The attackers are exploiting '
'CVE-2025-55182 (React2Shell), a critical remote code '
'execution (RCE) vulnerability in React Server Components used '
'by Next.js applications. The flaw allows attackers to send '
'maliciously crafted web requests to vulnerable servers, '
'executing arbitrary commands without requiring authentication '
'or user interaction. Once exploited, the attack deploys a '
'malicious script that silently extracts sensitive data, '
'including database credentials, SSH keys, AWS cloud tokens, '
'Stripe payment keys, and GitHub access tokens. The threat '
"actors use a custom web dashboard called the 'NEXUS Listener' "
'to manage the stolen data, which recorded 766 compromised '
'hosts in just 24 hours.',
'impact': {'data_compromised': 'Database credentials, SSH keys, AWS cloud '
'tokens, Stripe payment keys, GitHub access '
'tokens',
'operational_impact': 'Persistent access to critical systems, risk '
'of lateral movement, cloud environment '
'hijacking, malicious code injections',
'payment_information_risk': 'Stripe payment keys compromised',
'systems_affected': 'Over 700 servers worldwide'},
'initial_access_broker': {'entry_point': 'React2Shell vulnerability '
'(CVE-2025-55182) in Next.js '
'applications'},
'lessons_learned': 'Urgent need for organizations using Next.js to patch the '
'React2Shell vulnerability and rotate exposed credentials. '
'Stolen data provides attackers with persistent access to '
'critical systems, posing long-term security risks.',
'post_incident_analysis': {'corrective_actions': 'Patch the vulnerability, '
'rotate credentials, monitor '
'for lateral movement and '
'unauthorized access',
'root_causes': 'Exploitation of unpatched '
'React2Shell vulnerability '
'(CVE-2025-55182) in Next.js '
'applications'},
'recommendations': 'Patch the React2Shell vulnerability (CVE-2025-55182) and '
'rotate all exposed credentials, including database '
'credentials, SSH keys, cloud tokens, payment keys, and '
'GitHub access tokens.',
'references': [{'source': 'Cisco Talos'}],
'response': {'remediation_measures': 'Patch the React2Shell vulnerability, '
'rotate exposed credentials'},
'threat_actor': 'UAT-10608',
'title': 'Massive Credential Theft Campaign Exploits React2Shell Flaw in '
'Next.js Applications',
'type': 'Credential Theft',
'vulnerability_exploited': 'CVE-2025-55182 (React2Shell)'}