Jake Saunders woke up to an alarming email from Hetzner, his server provider, warning him of suspicious activity originating from his server. The message included evidence of network scanning and a threat to shut down his server if the issue wasn’t resolved. Upon investigating, Jake found that his server was mining Monero, a cryptocurrency, without his consent. This unauthorized mining had been ongoing for ten days, significantly spiking his CPU usage. Using SSH, he discovered multiple processes related to mining software, specifically xmrig, running under an unusual user ID (1001). His investigation led him to a Docker container running Umami, a privacy-focused analytics tool. The container, unbeknownst to him, was built on Next.js, which he hadn’t realized was vulnerable due to a critical security flaw (CVE-2025-66478). This flaw allowed attackers to exploit the application through specially crafted HTTP requests, leading to remote code execution and the installation of mining software. Jake's situation highlights the risks of not fully understanding the dependencies in your tech stack. While he believed he wasn't using Next.js directly, his analytics tool's reliance on it opened a backdoor for attackers. The incident serves as a stark reminder of the importance of staying informed about the technologies running on your servers and the potential vulnerabilities they may introduce.