- Running Next.js 15.0.3 with React Server Components
- CVE-2025-55182 disclosed Dec 3rd, server compromised Dec 4th
- Discovered via DigitalOcean DDoS abuse notification
- Found 5 malware families: credential scanner, MeshAgent RAT, DDoS bot,
miner killer, and XMRig dropper
Key findings:
- Attackers specifically targeted crypto/Web3 credentials (200+ search patterns)
- Process hiding via /proc bind mounts (rootkit technique)
- 327 DigitalOcean droplets participated in DDoS attack
Patched to Next.js 15.0.5+, rotated all credentials, cleaned system.
Quick summary of what happened:
- Running Next.js 15.0.3 with React Server Components - CVE-2025-55182 disclosed Dec 3rd, server compromised Dec 4th - Discovered via DigitalOcean DDoS abuse notification - Found 5 malware families: credential scanner, MeshAgent RAT, DDoS bot, miner killer, and XMRig dropper
Key findings: - Attackers specifically targeted crypto/Web3 credentials (200+ search patterns) - Process hiding via /proc bind mounts (rootkit technique) - 327 DigitalOcean droplets participated in DDoS attack
Patched to Next.js 15.0.5+, rotated all credentials, cleaned system.
Breakdown + Samples here: https://asleepace.com/blog/malware-cve-2025-55182-exploitati...