Hackers Exploit React2Shell in Automated Credential Theft Campaign

Related

AirDrop and Quick Share Flaws Allow Attackers to Crash Nearby Devices

What happened Security researchers disclosed multiple vulnerabilities affecting Apple AirDrop...

Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

What happened Threat actors are exploiting a critical Langflow vulnerability...

BlueHammer Microsoft Defender Flaw Exploited in Ransomware Attacks

What happened CISA updated its Known Exploited Vulnerabilities catalog to...

Critical Dell Wyse Vulnerabilities Enable Remote Code Execution

What happened Dell Technologies released a critical security advisory for...

Insurance Regulators Group NAIC Hit in Oracle PeopleSoft Hack

What happened The National Association of Insurance Commissioners confirmed it...

Share

What happened

Hackers are exploiting React2Shell to run an automated credential theft campaign against vulnerable Next.js applications. The activity centers on CVE-2025-55182 and has already led to the compromise of at least 766 hosts across multiple cloud providers and geographic regions. After identifying exposed Next.js apps, the attackers deploy a script that launches a multi-phase credential harvesting routine from the system’s temporary directory. According to Cisco Talos research, the operation uses a framework called NEXUS Listener to collect and manage stolen data from compromised systems. The harvested information includes database credentials, AWS credentials, SSH private keys, API keys, cloud tokens, environment secrets, Kubernetes tokens, Docker and container details, command history, and process runtime data. The stolen data is then exfiltrated in chunks over HTTP to attacker-controlled infrastructure.

Who is affected

The direct exposure affects organizations running vulnerable Next.js applications exposed to the internet. The campaign targets systems that hold cloud credentials, database access, SSH keys, API secrets, and other server-side sensitive data that can be extracted automatically after exploitation.

Why CISOs should care

This matters because the campaign is built for scale and speed, with attackers able to compromise hundreds of hosts in a short period and pull credentials that could support cloud account takeover, database access, lateral movement, and follow-on supply chain abuse. It also targets server-side secrets that can create broader enterprise risk well beyond the initial vulnerable application.

3 practical actions

  1. Patch React2Shell immediately: Apply the available security updates for React2Shell in vulnerable Next.js environments without delay.
  2. Rotate exposed credentials fast: If compromise is suspected, rotate cloud credentials, database credentials, API keys, SSH keys, and other secrets that may have been accessible on affected hosts.
  3. Reduce secret exposure on servers: Audit what server-side secrets are available to applications at runtime and tighten controls around metadata access, cloud roles, and secret storage.

For more news about software flaws under active exploitation, click Vulnerability to read more.

IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.