Attackers Abuse React2Shell Flaw to Compromise 700+ Next.js Hosts

A massive automated cyberattack campaign is actively targeting web applications built on the popular Next.js framework to steal highly sensitive information.

Cybersecurity researchers at Cisco Talos have uncovered a severe credential harvesting operation tracked as “UAT-10608” that compromised at least 766 servers worldwide within just 24 hours.

The core of this attack relies on CVE-2025-55182, a severe remote code execution flaw found in React Server Components.

When a client sends serialized data to a server endpoint, the vulnerable code processes it without adequate validation or sanitization.

Because no authentication is required, an attacker can simply send a malicious payload directly to execute arbitrary code within the server environment.

The UAT-10608 group does not hack servers manually, but instead relies on automated scanning tools to find public-facing Next.js applications using services like Shodan and Censys.

Once a vulnerable target is identified, the exploit is launched automatically without any human interaction. The attackers quickly drop a small script into the server’s temporary files folder to begin the infection process.

Multi-Phase Harvesting Tool

This initial script downloads a larger, multi-phase harvesting tool that methodically scans the compromised system for sensitive data.

It runs through highly specific phases to carefully extract environment variables, check for Kubernetes service account tokens, and capture shell command histories.

After completing each individual phase, the script silently sends the stolen information back to the attacker’s server.

The malicious script aggressively pulls metadata from major cloud providers like AWS, Google Cloud, and Microsoft Azure.

Additionally, it specifically looks for running Docker containers by enumerating network configurations and exposed ports.

This thorough reconnaissance allows the attackers to easily find internal administrative dashboards and databases for further targeted exploitation.

To efficiently manage the massive influx of stolen data, the threat group uses a web-based command and control interface named “NEXUS Listener”.

This dashboard gives the attackers a clean graphical user interface to search and analyze the harvested credentials easily.

While usually protected by a password, researchers discovered an accidentally exposed instance that revealed the true operational scale.

The NEXUS Listener dashboard accurately tracks real-time statistics, showing exactly how many web hosts were compromised during the campaign.

It neatly organizes the stolen data into specific credential categories and precisely tracks the uptime of the hacking operation itself.

This exposed dashboard definitively confirmed that 766 individual hosts were fully breached in a single day.

Severe Data Exposure

The sheer volume and sensitivity of the stolen data are incredibly alarming for network defenders.

According to Talos Intelligence, 91.5 percent of the compromised hosts leaked their database credentials, which included cleartext passwords.

Additionally, 78.2 percent of the affected servers exposed private SSH keys, essentially allowing attackers to move laterally into other connected systems.

The automated scripts successfully harvested live Stripe payment API keys from over 80 distinct hosts. They also successfully stole highly sensitive GitHub tokens, artificial intelligence platform keys from OpenAI, and crucial Azure subscription credentials.

Furthermore, roughly a quarter of all the victims had their temporary AWS cloud access credentials completely compromised by the attackers.

The ongoing UAT-10608 campaign starkly highlights the immense danger of deserialization vulnerabilities in modern web development frameworks.

Organizations using Next.js must urgently verify their web deployments against the React2Shell flaw and apply security patches immediately.

All impacted systems must completely rotate their exposed passwords and tokens to prevent further devastating network compromise.