A massive campaign has compromised 766 Next.js hosts by exploiting the CVE-2025-55182 vulnerability, allowing attackers to steal sensitive credentials, including database login details, SSH private keys, and cloud service secrets1. The attackers are using the React2Shell vulnerability as an initial infection vector to gain access to the targeted systems. The stolen credentials can be used to gain unauthorized access to sensitive data and systems, posing a significant risk to the affected organizations. The threat cluster behind the operation has been tracked by Cisco Talos, which has attributed the attacks to a specific group. The exploitation of CVE-2025-55182 is currently being discussed by Amazon, and the status of the vulnerability will determine whether it requires immediate patching or ongoing monitoring. This breach matters to security practitioners because it highlights the importance of promptly addressing known vulnerabilities to prevent large-scale credential harvesting operations.