Fetching from the wire…
Top 5 · 2026-04-03 · source-backed
Cisco Talos uncovered "UAT-10608", a credential harvesting campaign exploiting CVE-2025-55182 (CVSS 10.0) in React Server Components and Next.js App Router. 766 servers worldwide. 24 hours. Post-compromise, 91.5% of hosts leaked database credentials and 78.2% exposed SSH private keys.
The attackers built a platform called "NEXUS Listener" with a web GUI. They're not manually exploiting these servers. They built a product for it.
This is the part that caught me off guard. The industrialization. Someone built a management console for mass exploitation of a single vulnerability. The economics of attacks have shifted the same way the economics of software have: build a platform, scale horizontally, automate everything.
Next.js is everywhere in the AI ecosystem. Agent dashboards, internal tools, startup MVPs, production apps. If you're running Next.js App Router, patch immediately. Not "this week." Today. The automated scanning means you're not competing against a human attacker's schedule. You're competing against a bot that never sleeps.
This drops in the same week as Chrome's fourth zero-day of 2026 (CVE-2026-5281, a use-after-free in Dawn WebGPU, CISA federal patch deadline April 15) and the Langflow CVE-2026-33017 active exploitation timeline that Sysdig documented going from disclosure to compromise in 20 hours. Three of Chrome's four 2026 zero-days target graphics/rendering subsystems. The attack surface is shifting toward the rendering pipeline, the AI pipeline, and the frontend framework layer, all at once.
Update Chrome to 146.0.7680.178. Patch Next.js. Audit your Langflow instances. The window between disclosure and mass exploitation is now measured in hours, not weeks.
Each link below shares sources, entities, or timing with this story.
Sysdig criticizes Langflow / Shared entities / Shared topic / Earlier coverage
Linked by a graph relationship (Sysdig criticizes Langflow); both cover April, Audit, CISA, CVE; overlapping topics (attack, attacker, credential).
Sysdig criticizes Langflow / Shared entities / Same source / Shared topic / What happened next
Linked by a graph relationship (Sysdig criticizes Langflow); both cover CISA, CVE, CVSS, Langflow; cite the same source (Langflow CVE-2026-33017 active exploitation timeline).
Sysdig criticizes Langflow / Shared entities / Same source domain / Shared topic / Earlier coverage
Linked by a graph relationship (Sysdig criticizes Langflow); both cover CVSS, Hours, Langflow, Langflow CVE; reported by the same outlet (thehackernews.com).
Sysdig criticizes PraisonAI / Shared entities / Same source domain / What happened next
Linked by a graph relationship (Sysdig criticizes PraisonAI); both cover CVE, CVSS, POST, Sysdig; reported by the same outlet (sysdig.com).
Gemini uses Chrome / Shared entities / Same source domain / Shared topic / Earlier coverage
Linked by a graph relationship (Gemini uses Chrome); both cover Chrome, CVE, CVSS; reported by the same outlet (thehackernews.com).
Sysdig criticizes Langflow / Shared entities / Same source / Shared topic / What happened next
Linked by a graph relationship (Sysdig criticizes Langflow); both cover CISA, CVE, Langflow; cite the same source (Langflow CVE-2026-33017 active exploitation timeline).
Sysdig criticizes Langflow / Shared entities / Same source domain / Shared topic / What happened next / Tension
Linked by a graph relationship (Sysdig criticizes Langflow); both cover Langflow, Sysdig; reported by the same outlet (sysdig.com).
Google released Chrome / Shared entities / Same source domain / What happened next
Linked by a graph relationship (Google released Chrome); both cover Audit, CISA, CVE, CVSS; reported by the same outlet (thehackernews.com).