Top Highlights
- A large-scale credential theft operation exploits React2Shell and CVE-2025-55182 to compromise over 766 hosts globally, targeting Next.js vulnerabilities for initial access.
- The attackers deploy automated scripts to extract sensitive data such as API keys, credentials, and environment configurations, which are then accessible via a web-based GUI called ‘NEXUS Listener.’
- The campaign leverages automated scanning tools like Shodan and Censys to identify vulnerable systems, emphasizing widespread, indiscriminate targeting.
- The stolen data—including API keys, cloud credentials, and infrastructure details—can enable follow-on attacks, highlighting the need for organizations to enforce strict security measures and credential rotations.
Hackers Exploit Critical Vulnerability to Breach Over 700 Next.js Websites
Recently, a large-scale cyberattack targeted vulnerable Next.js applications, leading to the theft of sensitive credentials. The attackers used a known security flaw, CVE-2025-55182, which affects React Server Components and Next.js App Router. This flaw has a maximum severity score of 10.0, making it highly critical. The hackers first gained access by deploying a dropper, a harmful script that installs a multi-phase harvesting tool. Once inside, the malicious script collected detailed information from the compromised systems. The operation impacted at least 766 websites across various regions and cloud services. Security researchers observed that automated scanning tools likely identified these vulnerable sites. These scans used services such as Shodan or Censys to locate publicly reachable instances of Next.js. The hackers then exploited the vulnerability to drop their collection framework called ‘NEXUS Listener’. This web-based platform allowed them to view stolen data and analyze the breach, making the attack more efficient.
Scope of Data Compromised and Implications for Organizations
The attack resulted in the theft of a wide range of sensitive information. Among the stolen data were database credentials, SSH private keys, API keys for services like Stripe, and tokens for GitHub and GitLab. The hackers also collected environment variables, container configurations, and cloud service credentials such as AWS secrets. This extensive data gathering shows the attackers’ intent to use the stolen information for further criminal activities. For example, they could launch future targeted attacks or sell the access to other malicious actors. Most concerning, the attackers accessed an unauthenticated version of the NEXUS Listener, exposing how quickly vulnerabilities can be exploited if not properly secured. Experts advise organizations to review their systems, enforce least privilege policies, and regularly rotate credentials. Such steps can help prevent similar breaches and limit potential damage from cybercriminals. The incident underscores the importance of swift action and continuous security improvements in today’s digital landscape.
Expand Your Tech Knowledge
Stay informed on the revolutionary breakthroughs in Quantum Computing research.
Explore past and present digital transformations on the Internet Archive.
DataProtection-V1
