How much damage can a single software flaw do when attackers turn it into a wide-net harvesting operation? In late March and early April 2026, researchers observed a campaign that turned an exploit of the React2Shell vulnerability into an automated credential-stealing machine, compromising hundreds of sites and scooping up the keys to their digital kingdoms.
What the incident is — and what was taken
Security observers report a large-scale credential harvesting operation that exploited the React2Shell vulnerability (tracked as CVE-2025-55182) as its initial infection vector. The campaign successfully breached 766 Next.js hosts and, according to the reporting, collected a broad set of secrets and artifacts from compromised systems: database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens.
Cisco Talos has attributed the operation to a threat cluster it tracks, indicating the activity is part of a repeated or coordinated effort rather than an isolated incident.
How the attack worked, in brief
Observers characterize the exploit of React2Shell as the opening move: attackers leveraged that vulnerability to gain an initial foothold and then executed automated routines to harvest credentials and tokens at scale. The list of items taken—ranging from database credentials to cloud secrets and code repository tokens—reflects an intent to convert system access into further access, data exfiltration, and potential monetization.
Why this matters: practical consequences for stakeholders
- Technologists: Losing SSH keys, database credentials, and GitHub tokens can enable lateral movement, code tampering, and service impersonation. AWS secrets and Stripe keys can be used to access cloud resources and payment systems, respectively, increasing the scope and potential financial impact of a breach.
- Organizational risk owners: A compromise that yields cross-cutting secrets changes incident response priorities. Containment must include credential rotation, token revocation, and validation of build and deployment pipelines where stolen tokens could be used to alter code or infrastructure.
- End users and customers: When attackers harvest payment and account-related keys, the downstream risk includes unauthorized transactions, data exposure, and service disruption that affect customers rather than only back-end systems.
- Adversaries and defenders: For attackers, automated credential harvesting is a high-value, low-cost operation that scales quickly. For defenders, the same scale requires automation in detection, rapid secrets rotation, and rigorous supply-chain hygiene to prevent initial compromise through widely deployed frameworks.
What organizations should do next
The observable facts of this campaign point to a short list of immediate measures: identify and patch vulnerable instances tied to the React2Shell weakness, inventory and rotate exposed credentials and tokens, revoke any compromised keys and API secrets, and scrutinize shell histories and repository activity for signs of misuse. Equally important is monitoring for follow-on activity from the attributed threat cluster, since Cisco Talos’s linkage suggests the campaign may be part of a sustained effort.
The breach of 766 Next.js hosts is a concrete reminder that a single exploited vulnerability can yield a trove of operational secrets. If defenders do not assume that keys and tokens are prime targets, adversaries will keep treating them as the prize. Who will move fastest to close the leak before the next wave of exfiltration begins?
https://thehackernews.com/2026/04/hackers-exploit-cve-2025-55182-to.html




