Automated Credential Theft Campaign Exploits React2Shell Vulnerability in Next.js Applications

Threat actors are engaged in a significant, automated campaign targeting Next.js applications by exploiting the React2Shell vulnerability, identified as CVE-2025-55182. This operation aims to systematically harvest sensitive credentials from compromised systems, with at least 766 hosts already confirmed to be affected across various cloud environments and geographical locations. The stolen data includes a broad spectrum of secrets critical for system access and operation.

The campaign utilizes a framework dubbed NEXUS Listener, which orchestrates the exploitation and subsequent data exfiltration. Following the initial breach via React2Shell, automated scripts are deployed to execute a multi-phase credential harvesting routine. This process systematically extracts environment variables, API keys, database credentials, SSH private keys, cloud access tokens, Kubernetes tokens, and Docker information, among other sensitive data points. The harvested secrets are then exfiltrated in segmented chunks via HTTP requests to a command-and-control server.

The impact of this campaign is substantial, as the stolen credentials can grant attackers extensive access, including full cloud account takeover, unauthorized access to databases and payment systems, and the facilitation of supply chain attacks. The exfiltration of SSH keys further enables lateral movement within compromised networks. Furthermore, the potential exposure of personally identifiable information raises significant concerns regarding privacy law violations and associated regulatory consequences for affected organizations.

For security teams and operators, this campaign underscores the critical need for prompt patching of known vulnerabilities, particularly in widely used web frameworks like Next. js. Proactive auditing of server-side data exposure and immediate rotation of all potentially compromised credentials are vital mitigation steps.

Implementing robust security measures such as enforcing IMDSv2 for AWS, replacing reused SSH keys, enabling secret scanning, deploying Web Application Firewalls (WAF) or Runtime Application Self-Protection (RASP) solutions, and enforcing the principle of least privilege are essential to limit the attack surface and minimize the potential damage.

In conclusion, the ongoing exploitation of React2Shell presents a clear and present danger to organizations utilizing vulnerable Next.js applications. The automated nature and broad scope of this credential theft campaign necessitate immediate attention and the implementation of recommended security best practices to safeguard sensitive data and prevent further compromise.