A widespread credential harvesting campaign has leveraged a critical vulnerability in Next.js applications to infiltrate hundreds of web servers and exfiltrate sensitive data at scale. Security researchers at Cisco Talos identified the operation, which exploits CVE-2025-55182, commonly referred to as the React2Shell vulnerability, as a primary infection mechanism.
Next.js vulnerability enables mass credential theft
The attack targets a range of high-value credentials stored on compromised servers. Attackers have successfully stolen database credentials, SSH private keys, Amazon Web Services authentication tokens, shell command history logs, Stripe API keys, and GitHub personal access tokens from affected hosts. The scale of the campaign is significant, with at least 766 Next.js-based websites falling victim to the coordinated exploitation effort.
766 websites compromised in coordinated campaign
The React2Shell vulnerability represents a critical security gap in Next.js deployments, allowing attackers to achieve initial code execution on vulnerable servers. Once inside a system, threat actors deploy credential harvesting tools to systematically extract sensitive authentication materials that provide pathways to further compromise an organization's infrastructure and third-party services.
Attackers steal AWS keys, SSH credentials, API tokens
The operation underscores the rapid weaponization of newly disclosed vulnerabilities in popular web frameworks. Next.js, which powers millions of web applications globally, remains an attractive target for sophisticated threat actors seeking to compromise enterprise systems and gain access to downstream services. The theft of AWS secrets, API keys, and GitHub tokens suggests attackers are positioning themselves for lateral movement and potential supply chain attacks.
Organizations urged to patch and rotate credentials
Organizations running Next.js applications are urged to prioritize patching efforts immediately. Security teams should audit logs for signs of exploitation, rotate all potentially compromised credentials, and implement additional monitoring for suspicious access patterns. The incident highlights the importance of rapid vulnerability response in production environments, particularly for widely-used frameworks where exploitation tools become available quickly following public disclosure.