[9:09 PM CET] We discovered an unusual amount of processes running from an obfuscated location on our VPS. This happened while we were investigating a service disruption to our webroot service on December 5th, and we immediately took all services offline.

[10:15 PM CET] We are nearly done with our VPS reset and are getting close to full service restoration.

[10:37 PM CET] All services have been restored.

What happened?

From the data we were able to gather before resetting the server, we found that our system was affected by the Next.js vulnerability (CVE-2025-55182), which allowed malicious Node programs to be installed on our VPS. We noticed the issue after we started experiencing unexplained service disruptions, along with another user on the same hosting service publicly reporting that they were hit by the same exploit.

Based on what we found, it looks like our server may have been used to send denial-of-service traffic to other servers. While we can’t confirm the full extent of the activity, the affected services have been reset, patched, and brought back online, and we’re keeping a close eye on things moving forward.