Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps.
At least 766 hosts across various cloud providers and geographies have been compromised to collect database and AWS credentials, SSH private keys, API keys, cloud tokens, and environment secrets.
The operation uses a framework named NEXUS Listener and leverages automated scripts to extract and exfiltrate sensitive data from various applications.
Cisco Talos attributes the activity to a threat cluster tracked as UAT-10608. The researchers gained access to an exposed NEXUS Listener instance, allowing them to analyze the type of data harvested from compromised systems and understand how the web application operates.
Source: Cisco Talos
Automated secret harvesting
The attack begins with automated scanning for vulnerable Next.js apps, which are breached via the React2Shell vulnerability. A script that executes a multi-phase credential-harvesting routine is placed in the standard temporary directory.
According to Cisco Talos researchers, the data stolen this way includes:
- Environment variables and secrets (API keys, database credentials, GitHub/GitLab tokens)
- SSH keys
- Cloud credentials (AWS/GCP/Azure metadata, IAM credentials)
- Kubernetes tokens
- Docker/container information
- Command history
- Process and runtime data
Sensitive data is exfiltrated in chunks, each sent via an HTTP request over port 8080 to a command-and-control (C2) server running the NEXUS Listener component. The attacker is then provided with a detailed view of the data, including search, filtering, and statistical insights.
“The application contains a listing of several statistics, including the number of hosts compromised and the total number of each credential type that were successfully extracted from those hosts,” Cisco Talos says in a report this week.
“It also lists the uptime of the application itself. In this case, the automated exploitation and harvesting framework was able to successfully compromise 766 hosts within a 24-hour period.”
Source: Cisco Talos
Defense recommendations
The stolen secrets allow attackers to perform cloud account takeover and access databases, payment systems, and other services, also opening the door to supply chain attacks. SSH keys could be used for lateral movement.
Cisco highlights that the compromised data, including personally identifiable details, also exposes victims to regulatory consequences from privacy law violations.
The researchers recommend that system administrators apply the security updates for React2Shell, audit server-side data exposure, and rotate all credentials immediately if there is suspicion of a compromise.
Also, it is recommended to enforce AWS IMDSv2 and replace any reused SSH keys. They should also enable secret scanning, deploy WAF/RASP protections for Next.js, and enforce least-privilege across containers and cloud roles to limit impact.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
