Security researchers have uncovered a large‑scale credential‑harvesting campaign that is exploiting the React2Shell vulnerability as an entry point to steal sensitive data at scale. The operation targets cloud and application environments, siphoning off database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command histories, Stripe API keys, and GitHub tokens.
Cisco Talos has attributed the activity to a threat cluster it tracks as UAT‑10608, noting that at least 766 systems across multiple geographic regions and cloud providers have already been compromised.
According to Talos researchers Asheer Malhotra and Brandon White, once access is gained, the attackers deploy automated tooling to systematically extract credentials from a range of services and applications before exfiltrating the data to attacker‑controlled command‑and‑control (C2) infrastructure.
The stolen information is uploaded to a C2 platform that hosts a web‑based graphical interface known as “NEXUS Listener,” which operators use to browse compromised hosts and analyze credential‑harvesting results through built‑in statistics.
The campaign specifically targets Next.js applications vulnerable to CVE‑2025‑55182 (CVSS score: 10.0), a critical flaw affecting React Server Components and the Next.js App Router that can enable remote code execution. Following exploitation, the attackers deploy the NEXUS Listener collection framework via a dropper mechanism.
This dropper initiates a multi‑stage harvesting script designed to collect an extensive range of system and cloud artifacts, including:
- Environment variables
- JSON‑parsed runtime environments from JavaScript processes
- SSH private keys and
authorized_keysfiles - Shell command history
- Kubernetes service account tokens
- Docker container metadata (running containers, images, exposed ports, network settings, mounted volumes, and environment variables)
- API keys
- Temporary cloud credentials tied to IAM roles by querying instance metadata services on AWS, Google Cloud, and Microsoft Azure
- Running process data
Talos noted that the scale and distribution of victims combined with the lack of targeted selection suggest the use of automated scanning, likely leveraging platforms such as Shodan, Censys, or custom reconnaissance tools to identify exposed Next.js deployments and test them for the vulnerability.
At the core of the operation is a password‑protected web application that allows threat actors to centrally manage stolen data. The interface provides searching and filtering capabilities, enabling operators to sift through credentials and hosts efficiently.
The application displays multiple statistics, including the total number of compromised hosts and the quantity of each credential type successfully extracted. It also allows operators to browse all affected systems and view the uptime of the NEXUS Listener service itself.
The observed version of NEXUS Listener is v3, suggesting the framework has undergone multiple development cycles and refinements prior to its current deployment.
Talos analysts were able to access data from an exposed NEXUS Listener instance, which contained a wide variety of high‑value secrets. These included Stripe API keys, credentials for artificial intelligence platforms such as OpenAI, Anthropic, and NVIDIA NIM, email and messaging service tokens from SendGrid and Brevo, Telegram bot tokens, webhook secrets, GitHub and GitLab tokens, database connection strings, and additional application credentials.
The researchers warned that the scope and depth of the stolen data significantly increase the risk of follow‑on attacks, as compromised hosts can be leveraged for lateral movement, cloud abuse, or resale to other threat actors. Organizations are urged to audit their environments carefully by enforcing least‑privilege access, implementing secret‑scanning tools, avoiding SSH key reuse, enforcing IMDSv2 on AWS EC2 instances, and rotating all credentials if compromise is suspected.
“Beyond the immediate value of individual credentials, the aggregated dataset provides a detailed blueprint of each victim’s infrastructure,” the researchers concluded. “It reveals what services are in use, how they are configured, which cloud providers are involved, and what third‑party integrations exist—information that is extremely valuable for planning targeted attacks, social‑engineering campaigns, or selling access within criminal markets.”
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
