Listen to this Post

Introduction
A large-scale, automated attack campaign has exploited a critical remote code execution vulnerability in the Next.js framework to compromise over 766 hosts. The operation, actively harvesting cloud secrets, SSH keys, and API tokens at an industrial scale, marks a significant escalation in automated, profit-driven cyberattacks. Understanding the technical exploitation chain and implementing immediate mitigation steps is crucial for any organization running Next.js applications.
Learning Objectives
- Understand the technical details of the React2Shell vulnerability (CVE-2025-55182) and its role as an initial access vector.
- Learn how to detect compromised Next.js servers through log analysis and system indicators.
- Master the step-by-step process to patch vulnerable systems, rotate compromised credentials, and harden cloud environments against automated credential theft.
You Should Know
- The React2Shell Exploitation Chain: From Automated Scan to Full Compromise
This campaign leverages a critical vulnerability in Next.js’s React Server Components, tracked as CVE-2025-55182 (React2Shell), which allows unauthenticated remote code execution (RCE). Attackers automate the entire process, from scanning to credential exfiltration.
The exploitation chain follows these stages:
- Reconnaissance: Attackers use automated scanners to identify internet-facing Next.js applications running vulnerable versions.
- Exploitation: Crafted HTTP requests exploiting the RCE flaw are sent to the target server. A simple `id` command is often used to validate successful exploitation before proceeding.
- Credential Harvesting: Upon gaining initial access, a multi-phase Python-based malware tool is deployed to systematically collect sensitive data, including `.env` files, SSH keys, cloud provider tokens, shell history, and database credentials.
- Persistence & Exfiltration: The compromised host downloads secondary payloads that install backdoors (e.g., SOCKS5 proxies, reverse tunnels) and establishes persistence via systemd services. All stolen data is then exfiltrated to attacker-controlled C2 infrastructure.
Step-by-Step Guide for Detection and Analysis
To determine if your systems have been targeted or compromised, security teams can use the following commands to analyze logs and system artifacts.
On Linux:
Search for suspicious HTTP requests in Next.js logs grep -E "(..\/|%2e%2e%2f|process.mainModule.constructor._load)" /var/log/nextjs/.log Check for unauthorized child_process execution in system logs journalctl -u nextjs | grep -i "child_process" Identify recently created systemd services (potential persistence) ls -la /etc/systemd/system/ | grep -E "(gost|frp|backdoor)" Examine .env file permissions and access logs auditctl -w /path/to/.env -p rwa -k ENV_ACCESS ausearch -k ENV_ACCESS Find all SSH keys modified in the last 7 days find ~/.ssh /root/.ssh /home//.ssh -name "id_" -mtime -7 -ls
On Windows (PowerShell):
Scan IIS logs for path traversal patterns
Select-String -Path "C:\inetpub\logs\LogFiles\.log" -Pattern "../|%2e%2e%2f|process.mainModule"
Check for unusual process creation (child_process)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$_.Message -match "node.exe"}
Review scheduled tasks for persistence
Get-ScheduledTask | Where-Object {$_.TaskName -match "gost|frp|update"}
Audit environment variable files
Get-ChildItem -Recurse -Filter ".env" -ErrorAction SilentlyContinue | ForEach-Object { $<em>.FullName; Get-Acl $</em>.FullName | Format-List }
2. Patching and Remediation: Securing Your Next.js Deployment
Immediate patching is the most critical step. The React2Shell vulnerability (CVE-2025-55182) is fixed in Next.js versions 15.5.13 and 16.1.7. Organizations must also address the related middleware authorization bypass vulnerability (CVE-2025-29927), which was exploited in earlier waves of this campaign.
Step-by-Step Patching and Hardening Guide
1. Identify Vulnerable Versions
Check your Next.js version npm list next Or inspect package.json cat package.json | grep '"next"'
2. Update Next.js Immediately
For npm projects npm install next@latest For yarn projects yarn add next@latest For pnpm pnpm update next@latest
3. Restrict Public Exposure
- Implement a Web Application Firewall (WAF) rule to block requests containing malicious patterns like `process.mainModule.constructor._load` or
child_process.execSync. - Use middleware to validate and sanitize all incoming request headers, especially
x-middleware-subrequest, which was the vector for CVE-2025-29927.
Example Middleware Mitigation (Next.js):
// middleware.js
import { NextResponse } from 'next/server';
export function middleware(request) {
// Block requests with the malicious header
if (request.headers.has('x-middleware-subrequest')) {
return new NextResponse('Forbidden', { status: 403 });
}
// Validate and sanitize other headers
const dangerousPatterns = [/process.mainModule/, /child_process/];
for (const header of request.headers.values()) {
if (dangerousPatterns.some(pattern => pattern.test(header))) {
return new NextResponse('Forbidden', { status: 403 });
}
}
return NextResponse.next();
}
export const config = {
matcher: '/:path',
};
4. Rotate All Compromised Credentials
- AWS: Revoke and regenerate all IAM user keys and roles.
aws iam list-access-keys --user-name <username> aws iam delete-access-key --access-key-id <key-id> --user-name <username> aws iam create-access-key --user-name <username>
- SSH Keys: Regenerate and redeploy all SSH key pairs.
- API Tokens: Invalidate and reissue tokens for GitHub, Stripe, Docker Hub, and other services found in environment files.
- Cloud and Container Hardening Against Automated Credential Harvesting
The campaign’s success hinges on harvesting credentials stored in plaintext within environment files and container configurations. Implementing robust secrets management and runtime security is essential.
Step-by-Step Hardening for AWS and Docker Environments
1. Eliminate Plaintext Secrets
- Never store secrets in `.env` files or Docker images. Use a dedicated secrets manager like AWS Secrets Manager or HashiCorp Vault.
- AWS Example: Retrieve secrets at runtime.
import boto3 from botocore.exceptions import ClientError</li> </ul> def get_secret(secret_name): session = boto3.session.Session() client = session.client(service_name='secretsmanager') try: response = client.get_secret_value(SecretId=secret_name) return response['SecretString'] except ClientError as e: print(f"Error retrieving secret: {e}") return None2. Secure Docker Configurations
- Do not expose the Docker API socket (
/var/run/docker.sock) to containers. This was a known vector for persistence in the campaign. - Use Docker Content Trust to ensure image integrity.
export DOCKER_CONTENT_TRUST=1 docker pull <your-image>:latest
- Scan images for vulnerabilities before deployment.
docker scan <your-image>:latest
3. Implement Runtime Protection
- Deploy Falco or similar runtime security tools to detect malicious process execution.
- Example Falco Rule to detect child_process execution:
</li> <li>rule: Detect Node.js Child Process Execution desc: Detect when Node.js spawns a child process, which is uncommon in normal Next.js apps. condition: > spawned_process and proc.name = "node" and (proc.cmdline contains "child_process.exec" or proc.cmdline contains "child_process.spawn") output: "Node.js child process executed (command=%proc.cmdline)" priority: WARNING tags: [process, nodejs]
4. Detecting the Attack: IoCs and Log Analysis
Security teams should actively hunt for Indicators of Compromise (IoCs) associated with this campaign. The attackers’ own C2 server leaked real-time statistics through an unprotected `/stats` endpoint, but defenders can look for these specific patterns.
Step-by-Step Detection with Suricata and YARA
1. Suricata Rule to Detect Exploitation Attempts
alert http any any -> $HOME_NET any (msg:"Next.js React2Shell Exploit Attempt"; flow:to_server,established; content:"process.mainModule.constructor._load"; http_uri; nocase; content:"child_process.exec"; http_client_body; nocase; reference:url,github.com/vercel/next.js/security/advisories/GHSA-xxxx; classtype:attempted-admin; sid:2026040301; rev:1;)
2. YARA Rule to Identify Malware Payload (react.py)
rule React2Shell_Payload { meta: description = "Detects the react.py malware used in credential harvesting" author = "Security Team" date = "2026-04-03" strings: $s1 = "def harvest_aws_creds" ascii wide $s2 = "boto3.client('ec2')" ascii wide $s3 = "subprocess.Popen" ascii wide $s4 = "ssh-rsa" ascii wide $s5 = "/.env" ascii wide condition: any of ($s1, $s2, $s3, $s4, $s5) }3. Hunt for Suspicious Processes
Look for unusual network connections from Node.js sudo netstat -tunap | grep node Check for outbound connections to known malicious C2 IPs (example only) sudo lsof -i @45.155.205.233
What Undercode Say
This campaign underscores a dangerous trend: the industrialization of vulnerability exploitation. Attackers are no longer just probing; they are running automated, data-driven campaigns with alarming success rates. The attackers’ operational security failure—exposing their own C2 dashboard—provides a rare glimpse into their methods but should not distract from the core issue. Many organizations remain dangerously exposed.
- Key Takeaway 1: Treat your cloud credentials as a prime target. The shift-left movement towards embedding secrets in code and environment files has created a vast attack surface. Secrets management must be a non-negotiable part of the SDLC.
- Key Takeaway 2: Runtime detection is as important as prevention. While patching is critical, the speed of this attack (compromising over 59,000 servers in 48 hours) means many will be hit before they can patch. Investing in runtime security tools like Falco and robust logging is essential for limiting the blast radius.
Prediction
The “Operation PCPcat” playbook—scanning for a single RCE flaw and automating credential theft—will become the standard for mass exploitation campaigns. We predict a sharp rise in similar attacks targeting other popular JavaScript frameworks and serverless functions over the next 12 months. Consequently, cloud providers will be forced to implement more aggressive, default-on runtime scanning for vulnerable applications, potentially leading to automated quarantine of non-compliant deployments. Organizations that fail to decouple secrets from application code will continue to be the primary victims of this inevitable wave of automated breaches.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Hackermohitkumar Alert – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeTesting & Stay Tuned:
- Do not expose the Docker API socket (


