My next js server was hacked, help me understand how.

[v3i1y]

Summary

I host a personal site via Next.js. I recently noticed that the static html of the site got embedded a malicious script

<script src="https://static-6r1.pages.dev/min.js"></script>

The script is obfuscated, but it basically triggers a redirect to a scam site.

This is happening after I patched my site for the React2Shell CVE.
Following are my deps, (next and react are my only dependencies):

{
  "dependencies": {
    "next": "15.3.5",
    "react": "^19.2.1",
    "react-dom": "^19.2.1",
    "@radix-ui/react-slot": "^1.1.0",
    "class-variance-authority": "^0.7.1",
    "clsx": "^2.1.1",
    "tailwind-merge": "^3.3.1"
  },
  "devDependencies": {
    "@types/node": "^20",
    "@types/react": "^19.2.7",
    "@types/react-dom": "^19.2.3",
    "eslint": "^9",
    "eslint-config-next": "15.3.5",
    "typescript": "^5",
    "tailwindcss": "^4",
    "@tailwindcss/postcss": "^4"
  }
}

In my console log, I have a bunch of following error, not sure if it's caused by the attack:

 ⨯ [TypeError: Cannot read properties of undefined (reading 'aa')] {   digest: '2379470528' }

The script does not seem to be injected through proxy, because I am able to see the injected code directly accessing the server. However, I don't see file system modified by the attacker too, following is the output of docker diff

➜ ~ docker diff 0f634b351bff
C /root
A /root/.npm
A /root/.npm/_logs
A /root/.npm/_logs/2025-12-09T04_45_19_420Z-debug-0.log
A /root/.npm/_logs/2025-12-10T02_05_32_228Z-debug-0.log
A /root/.npm/_logs/2025-12-09T04_20_05_728Z-debug-0.log
A /root/.npm/_logs/2025-12-09T04_18_05_017Z-debug-0.log
A /root/.npm/_logs/2025-12-09T04_46_33_503Z-debug-0.log
A /root/.npm/_logs/2025-12-09T04_58_25_660Z-debug-0.log
A /root/.npm/_logs/2025-12-09T05_00_02_987Z-debug-0.log
A /root/.npm/_logs/2025-12-09T05_06_15_292Z-debug-0.log
A /root/.npm/_logs/2025-12-09T05_08_13_108Z-debug-0.log
A /root/.npm/_logs/2025-12-10T02_07_09_673Z-debug-0.log
A /root/.npm/_logs/2025-12-08T21_38_17_370Z-debug-0.log
A /root/.npm/_update-notifier-last-checked
➜ ~

So, I can only assume that the attacker was able to modify the static page data in the memory.

The site is really simple static html with link to some of my social media pages. It's hosted through cloudflare. There's no async calls dynamic content what's so ever. How next.js can allow this to happen? Really appreciate any help

Additional information

No response

Example

No response

[jowo-io]

Do you use umami for analytics by any chance?

[miladfaraji]

i have same issue, i use umami too

[v3i1y]

it was because I didn't upgrade nextjs version correctly.

[jowo-io]

make sure you roll your app secrets, they may have been compromised. better safe than sorry.

[v3i1y]

thanks, I don't have secrets in my app.

[jowo-io]

Is anyone aware of a way to analyse the script file injected min.js script to understand exactly what it's doing? Be good to assess if anything more malicious than opening tabs to gambling sites was taking place.

[ishigami]

I've found the same script in my NextJS 15 website. I've applied the patch using the React2Shell and the malicious script is still there.

I have only a Google Tag Manager applied (it applies a Google Analytics and Clarity scripts) and my deploy is done through a webhook on Github.

I'm still investigating it. If I have any news I'll keep updated here.

[v3i1y]

Are you sure? make sure you are not hitting caches. I was able to remove the script by simply restart my deployment, the hack was in memory only.

[ishigami]

Yes. I've rebuilt manually my NextJS project and restarted the PM2 too. But it still loading the malicious script.

[ishigami]

Now I've removed the malicious code. I did the following steps:

• deleted the node_modules manually
• removed the .next folder manually
• upgraded next JS to the latest 15 (v15.5.9) through npx fix-react2shell-next command
• run yarn build
• restarted PM2 process