Search

Hackers Exploit React2Shell in Automated Credential Theft Campaign

Cyber threats and incidents
By Evan Rowe

Related

Founders, Analysts & Industry Voices

CISOs to Watch in California County and City Level Government

California’s county and city governments operate some of the...
Read more
Founders, Analysts & Industry Voices

CISOs to Watch in California State Government

California state government depends on cybersecurity leaders who can...
Read more
Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in California Community College

California’s community college districts serve large and varied populations...
Read more
Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in California Universities

California’s university sector depends on cybersecurity leaders who can...
Read more
Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in California’s High-Tech Manufacturing Industry

California’s high-tech manufacturing sector sits at the intersection of...
Read more

Share

What happened

Hackers are exploiting React2Shell to run an automated credential theft campaign against vulnerable Next.js applications. The activity centers on CVE-2025-55182 and has already led to the compromise of at least 766 hosts across multiple cloud providers and geographic regions. After identifying exposed Next.js apps, the attackers deploy a script that launches a multi-phase credential harvesting routine from the system’s temporary directory. According to Cisco Talos research, the operation uses a framework called NEXUS Listener to collect and manage stolen data from compromised systems. The harvested information includes database credentials, AWS credentials, SSH private keys, API keys, cloud tokens, environment secrets, Kubernetes tokens, Docker and container details, command history, and process runtime data. The stolen data is then exfiltrated in chunks over HTTP to attacker-controlled infrastructure.

Who is affected

The direct exposure affects organizations running vulnerable Next.js applications exposed to the internet. The campaign targets systems that hold cloud credentials, database access, SSH keys, API secrets, and other server-side sensitive data that can be extracted automatically after exploitation.

Why CISOs should care

This matters because the campaign is built for scale and speed, with attackers able to compromise hundreds of hosts in a short period and pull credentials that could support cloud account takeover, database access, lateral movement, and follow-on supply chain abuse. It also targets server-side secrets that can create broader enterprise risk well beyond the initial vulnerable application.

3 practical actions

  1. Patch React2Shell immediately: Apply the available security updates for React2Shell in vulnerable Next.js environments without delay.
  2. Rotate exposed credentials fast: If compromise is suspected, rotate cloud credentials, database credentials, API keys, SSH keys, and other secrets that may have been accessible on affected hosts.
  3. Reduce secret exposure on servers: Audit what server-side secrets are available to applications at runtime and tighten controls around metadata access, cloud roles, and secret storage.

For more news about software flaws under active exploitation, click Vulnerability to read more.

Previous article
Traffic Violation Scams Shift to QR Codes in New Phishing Text Campaign
Next article
China-Linked TA416 Targets European Governments With PlugX and OAuth-Based Phishing
Founders, Analysts & Industry Voices

CISOs to Watch in California County and City Level Government

California’s county and city governments operate some of the...
Founders, Analysts & Industry Voices

CISOs to Watch in California State Government

California state government depends on cybersecurity leaders who can...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.