A massive automated credential theft campaign is actively targeting web applications worldwide. Cybersecurity researchers at Cisco Talos have uncovered an operation by a hacker group tracked as UAT-10608, which has already compromised over 700 servers.<\/p>\n
The attackers are exploiting a critical security flaw known as React2Shell to gain access and steal highly sensitive data. The hackers are specifically targeting Next.js applications vulnerable to CVE-2025-55182, widely known as React2Shell<\/a>.<\/p>\n This is a severe remote code execution flaw in React Server Components. It allows attackers to send a specially crafted web request to a vulnerable server.<\/p>\n Because the server does not properly check the incoming data, it executes the attacker\u2019s hidden commands. Worst of all, this attack requires no passwords or user interaction.<\/p>\n The UAT-10608 group uses automated tools to scan the internet for vulnerable Next.js servers. Once they find a target, they launch the React2Shell exploit to gain initial access<\/a>. The exploit then downloads a malicious script onto the server.<\/p>\n This script runs quietly in the background, acting like a digital vacuum cleaner. It searches the server\u2019s files, cloud settings, and system memory to harvest valuable credentials.<\/p>\n The script works in multiple phases, extracting everything from cloud tokens to database passwords, and then sends the stolen data back to the hackers\u2019 command-and-control server.<\/a><\/p>\n To manage the massive amount of stolen information, the attackers use a custom web dashboard called the \u201cNEXUS Listener\u201d. Cisco Talos researchers discovered<\/a> that in just 24 hours, the dashboard recorded 766 compromised hosts.<\/p>\n The dashboard revealed the shocking scale of the theft:<\/p>\n The consequences of this attack are devastating. With the stolen database passwords, hackers can access private user information and financial records.<\/p>\n The exposed SSH keys allow them to move freely across different servers within a company\u2019s network.<\/p>\n Furthermore, stolen cloud credentials give attackers the power to take over entire cloud environments, while\u00a0compromised<\/a><\/span> GitHub tokens <\/a>could be used to insert malicious code into legitimate software updates.<\/p>\n Companies using Next.js must take immediate action to protect themselves. Organizations should urgently update their web applications to patch the React2Shell vulnerability.<\/a><\/p>\n Additionally, any company that might have been targeted should immediately change all its passwords, API keys, and security tokens<\/a>.<\/p>\n Experts also recommend restricting access to cloud metadata services and carefully monitoring servers for any unusual background processes.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Hackers Compromised 700+ Next.js Hosts by Exploiting React2Shell Vulnerability<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n700+ Next.js Hosts Exploited<\/strong><\/h2>\n
![\"NEXUS](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhINmOtKf5IEAr4vZqtzNmSs8WR3DgMtt7SGieNHj7G4fOQzK3CSKwRMUvCeAzw29Ub4I3gtVGESD58S2y9sWMGf48Hu1VQSiSCo_Xg4GnwK_qZ8JlK82WRkZ1Lc_7Cx0tYKIe8pw9jy88exc5DbylTlHhUps7A5o9iGvqliiqSZDVcG0hsp_vYGBNwm4M\/s1600\/Screenshot%25202026-04-03%2520105838%2520%25281%2529.webp?ssl=1\")
\n
![\"NEXUS](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjjh6DTLek6PFsZdLgNwojhCJBnxoTk65jtwwlX2IDU1ijYlBUKptlfSg1gZ50Gh96CmtvCOMp3H3_d5zjorG44mE0UpSuNaePkaglOF_QZHGF44SxDK2WYzhQ4FljTw3MkCxL4zw2I4jD-a9pHOZDhK-BOiAfdhJwxW0zzpRInYxuCJVbyauiMu7OtphA\/s1600\/Screenshot%25202026-04-03%2520104535%2520%25281%2529.webp?ssl=1\")