Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 06, 2026 · 6 min read

A Next.js Flaw Let Hackers Steal AWS, Stripe, and OpenAI Credentials From 766 Servers in 24 Hours

A critical vulnerability in React Server Components turned Next.js deployments into credential vending machines.

Dark server room with screens displaying streaming code and credential data

What Happened

Cisco Talos published research this week revealing that a threat actor tracked as UAT-10608 compromised at least 766 Next.js servers across multiple cloud providers and geographic regions in a single day. The attackers exploited CVE-2025-55182, a critical remote code execution vulnerability in React Server Components with the maximum possible severity score of 10.0, to steal cloud credentials, API keys, and environment secrets at industrial scale.

The stolen data includes credentials for AWS, Azure, and Google Cloud, API keys for OpenAI, Anthropic, Stripe, GitHub, SendGrid, and NVIDIA, plus SSH private keys, Kubernetes service account tokens, and Docker configurations. In short, the attackers walked away with the keys to entire cloud infrastructures.

How React2Shell Works

The vulnerability, known in the security community as React2Shell, exists because serialized client data sent to server endpoints in React Server Components is processed without adequate validation or sanitization. No authentication is required. An attacker can fire malicious payloads directly at exposed servers and achieve full remote code execution.

The attack unfolds in five phases:

  • Scanning: Automated tools, likely powered by Shodan and Censys, enumerate publicly reachable Next.js deployments
  • Exploitation: A crafted request triggers remote code execution via CVE-2025-55182
  • Payload deployment: A multi stage credential harvesting script is dropped into the server's temporary directory
  • Data collection: The script systematically extracts environment variables, SSH keys, shell history, cloud tokens, API keys, and running process data
  • Exfiltration: Stolen data is sent in chunks via HTTP requests over port 8080 to attacker controlled infrastructure

The NEXUS Listener Dashboard

What sets this campaign apart is NEXUS Listener, the attackers' command and control framework. Researchers discovered that the C2 server hosts a web based graphical interface that provides a searchable database of stolen credentials, host tracking across all compromised servers, analytics dashboards showing real time theft statistics, and filtering tools to identify high value targets.

According to Talos, more than 10,000 files have been collected across the campaign. The dashboard lets attackers browse compromised systems, locate the most valuable credentials, and plan follow on attacks against cloud infrastructure.

What Was Stolen

The harvested data reads like a master key to modern cloud infrastructure:

  • AWS, GCP, and Azure cloud credentials and IAM tokens
  • SSH private keys and authorized_keys files
  • Kubernetes service account tokens
  • Docker container configurations
  • API keys for Stripe, GitHub, OpenAI, Anthropic, NVIDIA, and SendGrid
  • Telegram bot credentials
  • Environment variables and runtime configurations
  • Shell command history and running process listings

With these credentials, an attacker could access cloud accounts, drain payment processors, exfiltrate source code repositories, and pivot into connected systems. A single compromised Next.js server could expose an entire organization's infrastructure.

Who Is at Risk

Any organization running a Next.js application with React Server Components on a publicly accessible server is a potential target. The indiscriminate scanning pattern means the attackers are not selecting specific companies. They are sweeping the entire internet for vulnerable deployments.

Next.js is one of the most popular frameworks for building web applications, with millions of deployments worldwide. Many organizations store sensitive credentials in environment variables on their servers, a common practice that this attack turns from convenience into catastrophe.

What You Should Do

If you run Next.js applications, take these steps immediately:

  • Patch now: Update all Next.js deployments to a version that fixes CVE-2025-55182
  • Rotate credentials: If your server was exposed, assume all environment variables, API keys, and tokens are compromised and rotate them
  • Enforce AWS IMDSv2: Block the older metadata service endpoint that attackers use to steal cloud credentials
  • Enable secret scanning: Deploy tools that detect exposed credentials in your repositories and server environments
  • Audit server access: Review logs for suspicious HTTP requests to server component endpoints and unusual outbound traffic on port 8080
  • Apply least privilege: Ensure containers and cloud workloads only have the permissions they actually need

The speed of this campaign, 766 servers in 24 hours, means that unpatched systems are actively being found and exploited. Every day without a patch is a day your credentials may be sitting in someone else's dashboard.

The Bigger Picture

React2Shell represents a growing trend: attackers are not breaking into systems one at a time. They are automating the entire chain from scanning to credential theft, building dashboards to manage stolen data at scale, and treating compromised infrastructure as a searchable inventory. The supply chain attacks we've seen targeting npm packages follow a similar pattern of industrialized credential theft.

For developers, the lesson is clear: server side rendering frameworks need the same security rigor as any other public facing service. Environment variables are not a vault. And if your credentials are not rotated regularly, a single vulnerability can hand your entire stack to an attacker before you even know they were there.