A threat actor has been exploiting vulnerable Next.js applications to compromise systems and exfiltrate credentials at scale, Cisco’s Talos security researchers warn.
Tracked as UAT-10608, the threat actor relies on automated scanning to identify applications impacted by CVE-2025-55182 (CVSS score of 10), a critical React vulnerability that allows remote, unauthenticated attackers to execute arbitrary code, and which is tracked as React2Shell by the cybersecurity community.
Following initial access, the attackers leverage automated scripts and the Nexus Listener framework to harvest credentials, cloud tokens, SSH keys, and environment secrets at scale.
According to Talos, at least 766 systems have been compromised, and more than 10,000 files have been collected as part of the campaign.
“The breadth of the victim set and the indiscriminate targeting pattern is consistent with automated scanning — likely based on host profile data from services like Shodan, Censys, or custom scanners to enumerate publicly reachable Next.js deployments and probe them for the described React configuration vulnerabilities,” Talos notes.
UAT-10608 has been targeting public-facing web applications vulnerable to React2Shell to deliver a crafted payload via an HTTP request and execute arbitrary code on the server-side Node.js process.
The attackers rely on an automated script for multi-phased data collection, iterating through running processes, JavaScript runtime, SSH, shell command history, tokens, cloud metadata APIs, Kubernetes service accounts, container configurations, and running process command lines.
The exfiltrated data is sent to the attackers’ command-and-control (C&C) server, where it is made available through the Nexus Listener web application.
Talos identified a Nexus Listener instance that was left exposed and was able to peek into the application’s inner workings and exfiltrated data. The instance revealed the successful compromise of 766 hosts within 24 hours.
The stolen information includes keys for AI platforms, payment processors, AWS, and communication platforms, as well as GitHub tokens, database connection secrets, Auth tokens, passwords, and more.
SSH private keys, cloud credentials, Kubernetes service account tokens, Docker container variables, and shell command history files were also found on the exposed Nexus Listener instance.
All the exposed credentials, keys, tokens, and secrets in the dataset should be considered compromised and rotated, as they could lead to further compromise, including supply chain attacks, lateral movement, and compliance issues.
Related: Thousands of Magento Sites Hit in Ongoing Defacement Campaign
Related: Threat Actor Targeting VPN Users in New Credential Theft Campaign
Related: Hundreds of Salesforce Customers Allegedly Targeted in New Data Theft Campaign
Related: Cloned AI Tool Sites Distribute Malware in ‘InstallFix’ Campaign
