Hackers exploit React2Shell in automated credential theft campaign

Published:

5 april 2026 om 14:17:23

Alert date:

5 april 2026 om 15:01:14

Source:

bleepingcomputer.com

Web Technologies, Data Breach & Exfiltration, Supply Chain & Dependencies

Hackers are conducting a large-scale automated campaign to steal credentials by exploiting the React2Shell vulnerability (CVE-2025-55182) in vulnerable Next.js applications. This represents an active exploitation of a known vulnerability in web applications for credential harvesting purposes. The campaign appears to be targeting Next.js-based web applications systematically. The automated nature of the attacks suggests a sophisticated threat actor with the capability to scale operations. This exploitation poses significant risks to organizations using affected Next.js applications.

Technical details

Hackers are exploiting the React2Shell vulnerability (CVE-2025-55182) in Next.js applications through an automated framework called NEXUS Listener. The attack begins with automated scanning for vulnerable Next.js apps, followed by exploitation via React2Shell. A multi-phase credential-harvesting script is deployed in the temporary directory. Sensitive data is exfiltrated in chunks via HTTP requests over port 8080 to command-and-control servers. At least 766 hosts have been compromised across various cloud providers within a 24-hour period.

Mitigation steps:

Apply security updates for React2Shell vulnerability, audit server-side data exposure, rotate all credentials immediately if compromise is suspected, enforce AWS IMDSv2, replace reused SSH keys, enable secret scanning, deploy WAF/RASP protections for Next.js applications, enforce least-privilege access across containers and cloud roles

Affected products:

Next.js applications
React applications with React2Shell vulnerability