User vsem
joined AbuseIPDB in June 2026 and has reported 4 IP
addresses.
Standing (weight) is
Unknown.
ACTIVE USER
| IP |
Date |
Comment |
Categories |
|
🇺🇸
138.124.123.107
|
|
Automated exploitation of Next.js CVE GHSA-9qr9-h5gf-34mp (RCE via React
Server Components / Flight ...
show more
Automated exploitation of Next.js CVE GHSA-9qr9-h5gf-34mp (RCE via React
Server Components / Flight Protocol). IP sent POST requests to /_next/
endpoints attempting Remote Code Execution.
Attack observed: 2026-06-01
Target: Docker container running Next.js (port 443 via Traefik)
Requests: 138.124.123.107 → 1 POST request
Attempted payload actions (all failed due to hardening):
- SSH key exfiltration (~/.ssh/id_rsa, id_ed25519, id_ecdsa)
- .env file exfiltration at multiple paths
- Malware binary download and execution (/tmp/safenetv6)
Server: 148.251.4.171 (Hetzner, DE)
Log source: Traefik access log
show less
|
Hacking
Web App Attack
|
|
🇸🇬
178.128.31.110
|
|
Automated exploitation of Next.js CVE GHSA-9qr9-h5gf-34mp (RCE via React
Server Components / Flight ...
show more
Automated exploitation of Next.js CVE GHSA-9qr9-h5gf-34mp (RCE via React
Server Components / Flight Protocol). IP sent POST requests to /_next/
endpoints attempting Remote Code Execution.
Attack observed: 2026-06-01
Target: Docker container running Next.js (port 443 via Traefik)
Requests: 178.128.31.110 → 1 POST request
Attempted payload actions (all failed due to hardening):
- SSH key exfiltration (~/.ssh/id_rsa, id_ed25519, id_ecdsa)
- .env file exfiltration at multiple paths
- Malware binary download and execution (/tmp/safenetv6)
Server: 148.251.4.171 (Hetzner, DE)
Log source: Traefik access log
show less
|
Hacking
Web App Attack
|
|
🇩🇪
139.59.143.102
|
|
Automated exploitation of Next.js CVE GHSA-9qr9-h5gf-34mp (RCE via React
Server Components / Flight ...
show more
Automated exploitation of Next.js CVE GHSA-9qr9-h5gf-34mp (RCE via React
Server Components / Flight Protocol). IP sent POST requests to /_next/
endpoints attempting Remote Code Execution.
Attack observed: 2026-06-01
Target: Docker container running Next.js (port 443 via Traefik)
Requests: 139.59.143.102 → 8 POST requests
Attempted payload actions (all failed due to hardening):
- SSH key exfiltration (~/.ssh/id_rsa, id_ed25519, id_ecdsa)
- .env file exfiltration at multiple paths
- Malware binary download and execution (/tmp/safenetv6)
Server: 148.251.4.171 (Hetzner, DE)
Log source: Traefik access log
show less
|
Hacking
Web App Attack
|
|
🇨🇦
38.22.104.108
|
|
Automated exploitation of Next.js CVE GHSA-9qr9-h5gf-34mp (RCE via React
Server Components / Flight ...
show more
Automated exploitation of Next.js CVE GHSA-9qr9-h5gf-34mp (RCE via React
Server Components / Flight Protocol). IP sent POST requests to /_next/
endpoints attempting Remote Code Execution.
Attack observed: 2026-06-01
Target: Docker container running Next.js (port 443 via Traefik)
Requests: 38.22.104.108 → 62 POST requests (primary attacker)
Attempted payload actions (all failed due to hardening):
- SSH key exfiltration (~/.ssh/id_rsa, id_ed25519, id_ecdsa)
- .env file exfiltration at multiple paths
- Malware binary download and execution (/tmp/safenetv6)
Server: 148.251.4.171 (Hetzner, DE)
Log source: Traefik access log
show less
|
Hacking
Web App Attack
|