Hackers exploit React2Shell in automated credential theft campaign

UAT-10608 is actively exploiting CVE-2025-55182 in Next.js applications via React2Shell to harvest credentials at scale. At least 766 hosts have been compromised, with attackers stealing database credentials, AWS keys, SSH private keys, and API tokens. Stolen credentials are being used for cloud account takeovers and lateral movement.

CRITICALAdvisoryApr 06, 2026

Action required

Immediately patch all Next.js applications to the latest version and scan logs for React2Shell exploitation patterns. Hunt for stolen AWS keys, database credentials, and SSH private keys in use across your cloud infrastructure and terminate any unauthorized sessions.

Affected products

React2ShellNext.jsNEXUS ListenerCisco Talos

CVE IDs

CVE-2025-55182

Linked articles

Hackers exploit React2Shell in automated credential theft campaign

Source links

https://www.bleepingcomputer.com/news/security/hackers-exploit-react2shell-in-automated-credential-theft-campaign/