React2Shell CVE-2025-55182: 766 Next.js Hosts Breached in Automated Credential-Theft Wave

There is a number that should stop every engineering and security leader in their tracks: 766. That is the confirmed count of Next.js hosts compromised in a single, ongoing automated credential-theft campaign exploiting CVE-2025-55182 — the React2Shell vulnerability. Cisco Talos, who attributes the operation to threat cluster UAT-10608, documented an adversary that needed only a single unauthenticated HTTP request to gain remote code execution on each victim. From there, automated scripts swept the host for database credentials, SSH private keys, AWS IAM secrets, shell command history, Stripe API keys, and GitHub access tokens — all exfiltrated to an attacker-controlled command-and-control server before most organisations even knew the intrusion had begun.

The CVSS score for React2Shell is 10.0. That is the maximum possible severity. Wiz Research data shows 39% of cloud environments contain at least one vulnerable instance. This is not a theoretical exposure — it is an active, weaponised campaign running right now.

The React2Shell Vulnerability: What Makes It So Dangerous

CVE-2025-55182 resides in the React Server Components (RSC) "Flight" protocol, the mechanism that Next.js App Router uses to stream server-rendered components to the browser. The flaw stems from insecure deserialization in the RSC payload handling logic: a specially crafted HTTP request can inject attacker-controlled data into server-side execution paths, resulting in arbitrary code execution — with no authentication required.

React 19.x and Next.js 15.x/16.x when using App Router are affected. The exploitation path is fully automated, with near-100% success rate on unpatched hosts, according to Datadog Security Labs. Within hours of the vulnerability's public disclosure in December 2025, Amazon threat intelligence observed active exploitation attempts by China state-nexus groups including Earth Lamia and Jackpot Panda. By April 2026, the threat had evolved into a sustained, industrialised operation.

What makes this campaign especially damaging is the breadth of what gets stolen. UAT-10608 deploys a post-exploitation framework called NEXUS Listener that systematically exfiltrates:

• Database connection strings — direct access to production data
• SSH private keys — persistent, silent access to any server the key was ever used on
• AWS IAM credentials and session tokens — cloud-native lateral movement across your entire infrastructure
• GitHub tokens and Stripe API keys — supply chain pivot points and financial fraud vectors
• Shell history files — a roadmap of every privileged command run on the host

The stolen credential portfolio from a single compromised Next.js host is enough to fuel months of follow-on intrusion activity across cloud, on-premise, and SaaS environments.

Why This Threat Matters Beyond the Patch

The conventional security response to a critical CVE is: patch fast, rotate secrets, audit logs. That advice is correct but dangerously incomplete for React2Shell.

First, patching takes time. Wiz Research reported 39% of cloud environments had vulnerable instances as of early April 2026. Enterprise organisations running complex Next.js deployments in containerised or serverless environments — with multiple app versions, CI/CD pipelines, and shared infrastructure — often cannot patch production within 72 hours. During that window, UAT-10608's automated scanners are already sweeping the internet.

Second, credential rotation is incomplete by definition. An organisation that discovers the breach after the fact must identify every credential present on the compromised host — database passwords, cloud keys, SSH private keys, API tokens. Most organisations have no accurate, current inventory of credentials deployed across production hosts. Shell history alone can reveal credentials typed interactively weeks or months before the breach.

Third, the follow-on access is credential-based, not malware-based. Once the attacker has your AWS access key, they connect to your cloud environment using the AWS CLI — behaviour that is indistinguishable from a legitimate developer running aws s3 ls. Mandiant's M-Trends 2026 report found that 82% of detections in 2025 involved no malware — attackers used valid credentials and native tooling, blending into normal operational noise. The median time between initial access and credential hand-off has fallen to 22 seconds, meaning your response team has less than half a minute to interrupt the credential exfiltration chain.

Why Traditional Security Tools See Nothing

The failure mode for conventional security tools against React2Shell post-exploitation is structural, not a tuning problem.

Endpoint Detection and Response (EDR) tools monitor process behaviour, file activity, and network connections at the OS level. A containerised Next.js application often runs in a stripped-down container image with minimal OS surface — the very environment EDR agents are not deployed in. Even where agents exist, the NEXUS Listener framework used by UAT-10608 operates through the application runtime, not via suspicious child processes or unusual binaries that heuristics flag.

SIEM and log analytics depend on log completeness and correlation rules. Credential exfiltration via HTTP POST to a C2 server looks, at the network level, like ordinary outbound web traffic. Without semantic understanding of what the exfiltrated data is, log-based detection cannot differentiate it from legitimate API calls. By the time a SIEM alert fires — if it fires at all — the credential package has already landed at the attacker's infrastructure.

Cloud Security Posture Management (CSPM) tools can identify vulnerable configurations and flag missing patches, but they cannot detect the use of credentials that were legitimately present on a system before the breach. When an attacker connects to AWS with a stolen IAM key, the access looks authorised from the cloud control plane's perspective.

Web Application Firewalls (WAF) can block known React2Shell exploit signatures, but signature-based blocking is reactive. The first wave of exploitation hits before signatures exist. And WAFs provide zero coverage for the post-exploitation phase: the credential theft happens inside the compromised application runtime, not at the network perimeter.

The fundamental gap is this: once credentials are stolen, traditional security has no mechanism to know which credentials were taken, or to detect their first use. That gap is precisely where deception technology operates.

How Mine2 Detects React2Shell Credential Theft With Zero False Positives

Mine2's approach to this threat class is architectural rather than reactive. Instead of trying to detect the exploit itself — a race traditional tools consistently lose — Mine2 deploys synthetic credentials, fake API keys, and decoy cloud resources throughout the environment. These assets look indistinguishable from real credentials to an attacker or their automated tools, but they are never used by any legitimate process. Any interaction with them is, by definition, a confirmed intrusion.

Credential Mines are fake-but-realistic credentials planted across your environment: in environment variable files, application configuration stores, shell history files, and CI/CD pipeline secrets. When UAT-10608's NEXUS Listener sweeps a compromised Next.js host and exfiltrates its credential store, it will collect Mine2 Credential Mines alongside real secrets. The moment the attacker attempts to use a Credential Mine — whether to authenticate to a database, call an API, or access a cloud service — Mine2 fires a high-fidelity alert with full session context. No false positives. No tuning required.

Cloud Mines extend this coverage into AWS, Azure, and GCP environments. Mine2 provisions fake AWS IAM credentials, S3 bucket access keys, and Lambda invocation tokens that appear identical to legitimate cloud credentials. When a post-React2Shell attacker attempts cloud enumeration or lateral movement using stolen cloud secrets, Cloud Mines provide the tripwire. The attacker's IP, user-agent, session token, and complete API call chain are captured at the moment of first use — before they have enumerated a single real resource.

MineField decoy TCP services detect the reconnaissance and lateral movement phase that follows initial access. Attackers who have breached one Next.js host and are scanning for additional internal targets will encounter MineField services on ports they expect to find legitimate infrastructure on. Each connection attempt to a MineField service is an instant, high-confidence alert: no legitimate user has any reason to connect to a decoy service.

The combined effect is a detection layer that is entirely independent of the exploit vector. Whether the attacker used React2Shell, a misconfigured IAM policy, or a phished developer credential, the moment they touch a Mine2 asset, the alert fires — with full forensic context and zero false positives.

Compliance: Why React2Shell Breach Response Demands More Than a Patch

The regulatory implications of a React2Shell-class breach extend well beyond the immediate technical response. Organisations in regulated sectors face mandatory breach notification windows that assume prompt detection — but as the above analysis makes clear, detection is precisely what traditional tools fail to provide.

GDPR (Articles 33 and 34) requires notification to supervisory authorities within 72 hours of becoming aware of a personal data breach. If your React2Shell compromise exposed a Next.js application that processed EU resident data — and most web applications do — the clock starts ticking the moment you have reason to believe a breach occurred. The challenge: a credential-based intrusion that leaves no malware and blends into normal cloud activity may not be detected for weeks or months without active detection mechanisms. Mine2's Credential Mines establish a clear, legally defensible detection timestamp: the instant a stolen mine fires, you have awareness of breach — and your 72-hour GDPR notification clock starts from a known reference point.

India DPDP Act (Digital Personal Data Protection Act, 2023) requires Data Fiduciaries to report personal data breaches to the Data Protection Board of India and affected Data Principals without undue delay. Mine2's detection audit trail provides the incident timeline documentation that regulators require to assess whether the "undue delay" standard has been met.

PCI-DSS Requirement 11 mandates continuous monitoring of cardholder data environments and prompt investigation of security incidents. For organisations whose Next.js applications handle payment flows — where Stripe API keys are a particularly high-value target for React2Shell campaigns — Mine2's fake Stripe credential mines provide a specific, targeted detection layer for the credential class most likely to result in PCI-DSS scope expansion.

RBI and SEBI directives for Indian financial institutions require cyber incident reporting within defined windows and mandate controls to detect and respond to unauthorised access. Mine2's zero-false-positive alert model provides the clean incident record that satisfies internal audit requirements without the alert fatigue that undermines SIEM-based compliance evidence.

CERT-In 6-hour reporting (Indian Computer Emergency Response Team) mandates incident reports within six hours of detection for covered entities including banks, financial institutions, and critical infrastructure providers. The operative phrase is "within six hours of detection" — which presupposes you have a mechanism to detect the intrusion. Mine2 Credential Mines compress detection from weeks to seconds.

HIPAA Security Rule (Technical Safeguard § 164.312) requires mechanisms to detect and log unauthorised access to electronic Protected Health Information (ePHI). Healthcare organisations running Next.js patient portals or API backends are squarely in scope for React2Shell exposure. Mine2's audit log — which captures every interaction with a mine, including timestamp, source IP, credential used, and downstream action attempted — provides the HIPAA-compliant access monitoring record that auditors require.

Practical Playbook: Responding to React2Shell Exposure

Immediate actions (0–24 hours):

Audit your Next.js deployment inventory. Use your cloud provider's asset inventory or a tool like Wiz to enumerate all running Next.js App Router instances. Prioritise internet-facing deployments and those with access to production databases or cloud credentials.

Apply patches immediately. Update to patched versions of React and Next.js as documented in the CVE advisories from react.dev and Vercel. In containerised environments, rebuild and redeploy images rather than patching in place.

Rotate credentials on all potentially exposed hosts. Do not wait for forensic confirmation. Any Next.js host that was unpatched during the exposure window should be treated as compromised. Rotate database passwords, regenerate SSH key pairs, revoke and reissue AWS IAM keys, and cycle GitHub personal access tokens and Stripe API keys.

Enforce AWS IMDSv2. The Instance Metadata Service v2 requires session-oriented requests, preventing the trivial SSRF-to-credential-theft pattern that NEXUS Listener exploits on EC2-hosted applications.

Detection layer (deploy within 48 hours):

Deploy Mine2 Credential Mines to your Next.js application hosts and CI/CD environments. Seed fake database connection strings, AWS access key pairs, and GitHub tokens alongside real credentials. Any exfiltration event that touches these mines provides immediate detection when the attacker attempts to use the stolen credential.

Activate Mine2 Cloud Mines in your AWS and Azure environments. Provision fake IAM credentials that map to no real resource. Any authentication attempt using these credentials is an instant, unambiguous intrusion indicator.

Deploy MineField decoy services on internal network segments adjacent to your Next.js infrastructure to detect post-compromise lateral movement.

Ongoing posture (30 days):

Implement secrets scanning in your CI/CD pipeline to prevent real credentials from appearing in application configuration alongside mines. Tools like GitHub Secret Scanning or GitGuardian can flag accidental credential commits before they reach production.

Conduct a credentials-in-files audit across your production host fleet. Identify all locations where database passwords, SSH private keys, and cloud credentials are stored on disk — these are the exact paths NEXUS Listener targets. Replace real credentials with references to a secrets management service (AWS Secrets Manager, HashiCorp Vault) and plant Mine2 Credential Mines at the legacy paths.

Establish a Mine2 alert runbook. Define the response procedure — who is notified, what investigation steps are taken, which regulatory reporting obligations are triggered — so that when a mine fires, the response is immediate and legally defensible.

The Strategic Shift React2Shell Demands

React2Shell is not merely a patch management failure. It represents a structural challenge that will recur with every subsequent critical RCE vulnerability: the window between public disclosure and universal patching is measured in days or weeks, automated exploitation begins within hours of disclosure, and the post-exploitation credential theft is designed to be undetectable by conventional tools.

Organisations that win in this environment are those that accept an adversarial assumption: that some fraction of their production infrastructure will be breached, and that detection capability matters as much as prevention capability. Mine2 is built for that assumption. Credential Mines, Cloud Mines, and MineField create a detection surface that is entirely independent of the exploit used to gain initial access — so whether the next React2Shell-class vulnerability targets your web framework, your container runtime, or your cloud SDK, the moment the attacker touches a mine, you know.

Zero false positives. Single-click deployment. Zero performance impact.

Protect your environment before the next automated credential sweep reaches your infrastructure.

→ Explore Mine2's active deception platform