[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"focus:hackers-exploit-react2shell-in-automated-credential-theft-campaign-mnn9mhj4":3},{"item":4},{"id":5,"title":6,"slug":7,"summary":8,"severity":9,"category":10,"cve_ids":11,"affected_products":13,"action_required":18,"article_ids":19,"ioc_summary":21,"source_urls":22,"status":24,"expires_at":25,"created_at":26,"updated_at":27,"articles":28},"c225214c-d284-46d8-8df8-13c3b329d11c","Hackers exploit React2Shell in automated credential theft campaign","hackers-exploit-react2shell-in-automated-credential-theft-campaign-mnn9mhj4","UAT-10608 is actively exploiting CVE-2025-55182 in Next.js applications via React2Shell to harvest credentials at scale. At least 766 hosts have been compromised, with attackers stealing database credentials, AWS keys, SSH private keys, and API tokens. Stolen credentials are being used for cloud account takeovers and lateral movement.","critical","advisory",[12],"CVE-2025-55182",[14,15,16,17],"React2Shell","Next.js","NEXUS Listener","Cisco Talos","Immediately patch all Next.js applications to the latest version and scan logs for React2Shell exploitation patterns. Hunt for stolen AWS keys, database credentials, and SSH private keys in use across your cloud infrastructure and terminate any unauthorized sessions.",[20],"4a89927d-2828-4efc-a7a6-dd1c68a997f7",null,[23],"https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhackers-exploit-react2shell-in-automated-credential-theft-campaign\u002F","archived","2026-04-08T14:08:05.157+00:00","2026-04-06T14:08:11.656814+00:00","2026-04-08T14:09:00.855281+00:00",[29],{"id":20,"title":6,"url":23}]