Hackers Exploit React2Shell Flaw to Steal Credentials from 766+ Systems Worldwide

Cybercriminals exploit React2Shell flaw in Next.js, stealing credentials via NEXUS Listener. 766 hosts compromised across industries.

By Content Team

Apr 7, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Cybercriminals are exploiting a critical React2Shell vulnerability (CVE-2025-55182) in Next.js web applications to launch a massive automated credential theft campaign. Cisco Talos researchers discovered the operation, attributed to threat group UAT-10608, has compromised at least 766 hosts across multiple industries and regions.

The attackers use an automated tool called "NEXUS Listener" that harvests credentials, SSH keys, cloud tokens, and environment secrets after exploiting the pre-authentication remote code execution flaw. The framework includes a graphical interface with search capabilities, turning stolen data into a searchable intelligence database.

Defenses include patching the vulnerability, rotating exposed credentials, and monitoring for suspicious processes spawned from /tmp/ directories with randomized names.

Source: Dark Reading

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Instagram Fixes Password Reset Bug as Old Data Leak Resurfaces

Jan 12, 2026

Major Data Breach Hits Netherlands' Largest Mobile Operator, 6.2 Million Users Affected

Feb 16, 2026

Peabody Residents Receive Breach Notifications After Summer Hack

Feb 14, 2026

Cybercriminals Use LiveChat Platform for Real-Time Phishing Scams

Mar 17, 2026