Hackers Compromise 700+ Next.js Servers Using React2Shell Exploit

Massive UAT-10608 hack compromises 700+ servers via React2Shell flaw. Update Next.js apps now to protect credentials.

By Content Team

Apr 3, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Cybersecurity researchers at Cisco Talos discovered a massive attack by hacker group UAT-10608, which has compromised over 700 servers in just 24 hours. The attackers are exploiting React2Shell (CVE-2025-55182), a critical remote code execution flaw in Next.js applications that requires no passwords or user interaction.

The hackers use automated tools to scan for vulnerable servers, then deploy malicious scripts that steal credentials like digital vacuum cleaners. Their custom "NEXUS Listener" dashboard shows devastating results: 90% of compromised hosts lost database credentials, 80% had SSH keys stolen, plus AWS credentials, Stripe payment keys, and GitHub tokens were taken.

Companies must immediately update Next.js applications and change all passwords, API keys, and security tokens.

Source: Cybersecurity News

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Healthcare Recruitment Platform Hit by Major Cyber Attack Affecting Northern Ireland Health Trusts

Apr 11, 2026

Two US Cybersecurity Pros Plead Guilty Over Ransomware Attacks

Jan 2, 2026

Medical Giant Stryker Hit by Cyberattack Linked to Iranian Group

Mar 12, 2026

Fake PoCs and Overlooked Bugs Create Cisco SD-WAN Security Chaos

Apr 1, 2026