Hackers Exploit React2Shell Vulnerability in Automated Credential Theft Campaign

Cybercriminals are actively exploiting the React2Shell vulnerability (CVE‑2025‑55182) in Next.js applications to steal credentials and sensitive data through an automated, large-scale attack campaign affecting systems worldwide.

Attack Details

Researchers from Cisco Talos revealed that this campaign targets unpatched systems, allowing attackers to automatically inject scripts that steal critical information without being detected.

React2Shell serves as an initial access point, enabling attackers to:

• Deploy credential-stealing scripts
• Collect sensitive data automatically
• Exfiltrate stolen information to attacker-controlled servers

Types of Data Stolen

The attackers gather various critical information, including:

• Passwords and credentials for databases, Cloud API keys, and SSH keys
• Cloud service tokens, such as AWS, GCP, and Azure
• Environment variables and Kubernetes secrets
• Command history and runtime information

Stolen data can be used for advanced attacks, including privilege escalation, lateral movement, system takeover, and theft of personal or business-critical information.

Tools and Frameworks Used

This campaign leverages the NEXUS Listener framework to:

• Scan for vulnerable Next.js applications
• Inject automated credential-stealing scripts
• Send collected data back to attacker servers

The campaign has been tracked by cybersecurity researchers as UAT‑10608, with some exposure of NEXUS Listener interfaces providing insights into the attack methodology.

Security Recommendations

Organizations and IT teams should implement the following measures:

1. Apply the latest React2Shell patches immediately
2. Rotate passwords, API keys, and tokens that may have been exposed
3. Deploy preventive measures such as WAFs, anomaly detection, and strict access controls
4. Regularly monitor systems for suspicious activity

Automated attacks like this demonstrate the constantly evolving nature of cyber threats. Continuous patching and proactive security monitoring are essential to protect sensitive organizational data.

#CyberSecurity #React2Shell #NextJS #CredentialTheft #DataBreach #HackerAlert #CyberAttack #InfoSec #Vulnerability #SecurityPatch #DataProtection #ITSecurity #ThreatDetection #CyberThreats #AutomatedAttack