Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps.

BleepingComputer

A large-scale automated credential theft campaign is exploiting the React2Shell vulnerability (CVE-2025-55182) in Next.js applications. Attributed to threat cluster UAT-10608 by Cisco Talos, the operation compromised 766 hosts within 24 hours using a framework called NEXUS Listener. Stolen data includes AWS/GCP/Azure credentials, SSH keys, API keys, Kubernetes tokens, GitHub/GitLab tokens, and environment secrets. Defenders are advised to patch React2Shell, rotate all credentials, enforce AWS IMDSv2, enable secret scanning, and deploy WAF/RASP protections.

Hackers exploit React2Shell in automated credential theft campaign