top of page
perceptive_background_267k.jpg

Hackers exploit React2Shell in automated credential theft campaign

Published:

5 April 2026 at 14:17:23

Alert date:

5 April 2026 at 15:01:14

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Web Technologies, Data Breach & Exfiltration, Supply Chain & Dependencies

Hackers are conducting a large-scale automated campaign to steal credentials by exploiting the React2Shell vulnerability (CVE-2025-55182) in vulnerable Next.js applications. This represents an active exploitation of a known vulnerability in web applications for credential harvesting purposes. The campaign appears to be targeting Next.js-based web applications systematically. The automated nature of the attacks suggests a sophisticated threat actor with the capability to scale operations. This exploitation poses significant risks to organizations using affected Next.js applications.

Technical details

Hackers are exploiting the React2Shell vulnerability (CVE-2025-55182) in Next.js applications through an automated framework called NEXUS Listener. The attack begins with automated scanning for vulnerable Next.js apps, followed by exploitation via React2Shell. A multi-phase credential-harvesting script is deployed in the temporary directory. Sensitive data is exfiltrated in chunks via HTTP requests over port 8080 to command-and-control servers. At least 766 hosts have been compromised across various cloud providers within a 24-hour period.

Mitigation steps:

Apply security updates for React2Shell vulnerability, audit server-side data exposure, rotate all credentials immediately if compromise is suspected, enforce AWS IMDSv2, replace reused SSH keys, enable secret scanning, deploy WAF/RASP protections for Next.js applications, enforce least-privilege access across containers and cloud roles

Affected products:

Next.js applications
React applications with React2Shell vulnerability

Related links:

https://www.bleepingcomputer.com/news/security/critical-react2shell-flaw-in-react-nextjs-lets-hackers-run-javascript-code/
https://blog.talosintelligence.com/uat-10608-inside-a-large-scale-automated-credential-harvesting-operation-targeting-web-applications/

Related CVE's:

Related threat actors:

IOC's:

NEXUS Listener framework, HTTP traffic over port 8080 to C2 servers, Multi-phase credential harvesting scripts in temporary directories

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page