A large-scale credential harvesting operation has been observed targeting Next.js hosts, exploiting the React2Shell vulnerability, also known as CVE-2025-55182, to gain initial access to systems.
The attackers are using this vulnerability to steal sensitive data, including database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens, highlighting the severity of this breach.
Cisco Talos has attributed the operation to a specific threat cluster, indicating that the attack is part of a larger, coordinated effort by malicious actors.
The fact that 766 Next.js hosts have been breached underscores the need for prompt action to patch the CVE-2025-55182 vulnerability and prevent further exploitation.
Organizations using Next.js should take immediate steps to secure their systems, including updating to the latest version of Next.js and monitoring for suspicious activity, to mitigate the risk of credential harvesting and other malicious activities.
As the threat landscape continues to evolve, staying informed about the latest vulnerabilities, such as CVE-2025-55182, and taking proactive measures to secure systems is crucial for protecting against cyber threats.
Source: Original Article
