A large-scale credential harvesting operation has been observed in the wild, exploiting the React2Shell vulnerability (CVE-2025-55182) as an initial infection vector to steal sensitive credentials from hundreds of Next.js application servers, according to analysis from Cisco Talos.
The campaign has so far successfully compromised 766 Next.js hosts, exfiltrating a broad range of sensitive secrets including database credentials, SSH private keys, Amazon Web Services (AWS) access keys, shell command histories, Stripe API keys, and GitHub personal access tokens.
What Is CVE-2025-55182 (React2Shell)?
CVE-2025-55182, nicknamed React2Shell, is a vulnerability affecting Next.js framework deployments. The flaw allows an attacker to exploit the server-side rendering or API layer of affected Next.js applications to achieve Remote Code Execution (RCE) or server-side request forgery (SSRF), enabling direct access to the underlying server filesystem and environment variables.
| Detail | Value |
|---|---|
| CVE | CVE-2025-55182 |
| Name | React2Shell |
| Affected | Next.js (multiple versions) |
| Impact | Remote code execution / credential exfiltration |
| Exploited in the Wild | Yes — active mass exploitation |
| Hosts Breached | 766 confirmed |
| Researcher | Cisco Talos |
What Data Is Being Stolen
The attackers are conducting systematic harvesting of every credential type accessible through the compromised Next.js environment:
| Credential Type | Risk |
|---|---|
| AWS access keys and secrets | Full cloud account compromise, resource abuse, data exfiltration |
| SSH private keys | Persistent access to servers and infrastructure |
| GitHub personal access tokens | Code repository access, supply chain attack pivot |
| Database credentials | Direct database access for data theft or ransomware |
| Stripe API keys | Financial fraud, payment data access |
| Shell command history | Reveals infrastructure topology, additional credentials |
This credential profile suggests attackers are prioritising cloud infrastructure access and developer toolchain secrets — both of which can enable cascading downstream compromises well beyond the initial Next.js host.
How the Attack Unfolds
1. Attackers scan the internet for Next.js deployments
— Mass scanning using Shodan/Censys fingerprinting of Next.js response headers
2. Identify vulnerable hosts
— Test for CVE-2025-55182 (React2Shell) exploitability
3. Exploit the vulnerability
— Send crafted request triggering RCE or SSRF on the Next.js server
4. Enumerate credentials on the server filesystem
— Read environment variables (.env, .env.local, process.env)
— Read ~/.ssh/ directory for private keys
— Read shell history files (~/.bash_history, ~/.zsh_history)
— Read application config files with embedded secrets
5. Exfiltrate all harvested credentials to attacker-controlled infrastructure
6. Stage credentials for sale or use in downstream attacks
— AWS keys used for cryptomining or data theft
— SSH keys used for persistent access
— GitHub tokens used for supply chain attacksScale of the Campaign
766 confirmed breached hosts represents a significant scale for a targeted developer infrastructure attack. Next.js is one of the most widely deployed React-based frameworks, powering applications across every industry sector.
Given the nature of credentials being harvested — particularly AWS secrets and GitHub tokens — each initial compromise can cascade into additional breaches:
- An AWS key compromise can expose entire cloud environments, S3 buckets, databases, and compute resources
- A GitHub token compromise can enable attackers to read private repositories, inject code, or establish supply chain footholds
- SSH private keys can persist as backdoors long after the initial Next.js vulnerability is patched
Who Is Behind the Campaign
Cisco Talos has not publicly attributed the campaign to a specific threat actor group as of this report. The systematic nature of the exploitation — mass scanning, automated credential enumeration, and structured exfiltration — is consistent with financially motivated cybercriminal actors who aggregate and monetise stolen credentials.
Mitigation Steps
Immediate Actions
# 1. Check Next.js version — identify if affected
npm list next
# or
cat package.json | grep '"next"'
# 2. Update Next.js to the patched version
npm update next
# or specify the patched version
npm install next@<patched-version>
# 3. Rotate all secrets immediately if you may be affected
# — Rotate AWS IAM access keys
# — Revoke and regenerate GitHub personal access tokens
# — Rotate database passwords
# — Rotate Stripe API keys
# — Rotate or regenerate SSH keypairsEnvironment Variable Security
# Audit what secrets are exposed in your runtime environment
# Ensure server-side secrets are NOT prefixed with NEXT_PUBLIC_
# NEXT_PUBLIC_ variables are exposed to the browser — never put secrets there
# Review .env files for sensitive data
cat .env.local | grep -E 'KEY|SECRET|TOKEN|PASSWORD|PRIVATE'Detection
Check your access logs for exploit attempts targeting the React2Shell vulnerability — look for anomalous server-side requests, unusual API route traversal patterns, or unexpected outbound network connections from your Next.js server processes.
Review your cloud provider logs for:
- Unexpected API calls from your AWS access keys
- New IAM users or roles created
- Unusual S3 bucket access patterns
- Compute resources spun up in unexpected regions
Impact on the Software Supply Chain
The targeting of GitHub tokens is particularly concerning from a software supply chain perspective. A compromised GitHub token can enable an attacker to:
- Read private source code repositories
- Push malicious commits to repositories used in CI/CD pipelines
- Access GitHub Actions secrets and workflows
- Modify package publishing workflows to inject malicious code into npm packages
This transforms an initial Next.js host compromise into a potential supply chain attack affecting downstream users of any affected packages.
References
Source: The Hacker News — April 2, 2026