Hackers Exploit React2Shell Flaw to Compromise 700+ Next.js Servers

Massive attack by UAT-10608 compromises 700+ Next.js servers via React2Shell flaw, stealing credentials. Update apps now.

By Content Team

Apr 4, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Cybersecurity researchers at Cisco Talos discovered a massive attack by hacker group UAT-10608 that has compromised over 700 Next.js servers using the React2Shell vulnerability (CVE-2025-55182). The attackers exploit this remote code execution flaw to automatically steal credentials without needing passwords or user interaction.

In just 24 hours, their "NEXUS Listener" dashboard recorded 766 compromised hosts. Over 90% had database credentials stolen, nearly 80% lost SSH keys, and hackers also grabbed AWS credentials, Stripe payment keys, and GitHub tokens.

The stolen data gives attackers access to private user information, financial records, and the ability to move across company networks or take over entire cloud environments. Companies using Next.js should immediately update their applications and change all passwords and security tokens.

Source: Cybersecurity News

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Single Hacker Behind Dozens of Major Corporate Data Breaches

Jan 6, 2026

Five Malicious Chrome Extensions Target Enterprise HR and Financial Systems

Jan 20, 2026

Hackers Exploit Critical Quest KACE Flaw to Take Over Management Systems

Mar 21, 2026

Adobe Reader Zero-Day Exploit Actively Stealing User Data

Apr 9, 2026