Hackers Breach 766 Next.js Servers, Steal Credentials

A large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services secrets, shell command history, Stripe API keys, and GitHub tokens at scale. Cisco Talos has attributed the operation to a threat cluster it tracks as UAT-10608. At least 766 hosts spanning multiple geographic regions and cloud providers have been compromised as part of the activity. CVE-2025-55182 is an unauthenticated remote code execution vulnerability in React Server Components with a CVSS score of 10.0. The flaw allows unauthenticated attackers to send a single HTTP request that executes arbitrary code with the privileges of the user running the affected web server process. That means no login is required to exploit it. One crafted HTTP request is enough to compromise a vulnerable server. Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell in vulnerable Next.js apps. The scale is significant because Next.js is one of the most widely used web frameworks. Many agencies and freelancers deploy client sites on it without ever reviewing the security update history of the framework itself. If you are building or maintaining Next.js applications, run npx fix-react2shell-next in your project root immediately. Rotate any API keys, SSH keys, and cloud credentials stored in environment variables. The patch is available and the attack is active. Nigerian developers building on Next.js for local and international clients are directly exposed. This is not a theoretical risk. Check your versions today.