We have observed large-scale credential harvesting operations exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at scale.
Cisco Talos attributes this operation to the threat cluster we track as UAT-10608. At least 766 hosts across multiple geographic regions and cloud providers were compromised as part of this activity.
“After compromise, UAT-10608 leverages automated scripts to extract and steal credentials from various applications, which are then sent to command and control (C2),” security researchers Asheer Malhotra and Brandon White wrote in a report shared with The Hacker News ahead of publication.
“C2 hosts a web-based graphical user interface (GUI) titled ‘NEXUS Listener’ that allows you to view stolen information and gain analytical insights using pre-compiled statistics about collected credentials and compromised hosts.”
This campaign has been assessed to target Next.js applications vulnerable to CVE-2025-55182 (CVSS score: 10.0). CVE-2025-55182 (CVSS score: 10.0) is a critical flaw in React Server Components and Next.js App Router that could lead to remote code execution on initial access and subsequent removal of the NEXUS Listener collection framework.
This is accomplished through a dropper that initiates the deployment of a multi-phase collection script that collects various details from the compromised system.
Environment variables JSON parsing environment from the JS runtime SSH private keys and authorized_keys Shell command history Kubernetes service account tokens Docker container configuration (running containers, their images, public ports, network configuration, mount points, environment variables) API keys AWS, Google Cloud, and Microsoft Azure instances Metadata Temporary credentials associated with IAM roles by querying the service Running processes
The cybersecurity firm says the breadth of its victims and indiscriminate targeting pattern is consistent with automated scanning, likely leveraging services such as Shodan, Censys, or custom scanners to identify publicly accessible Next.js deployments and investigate their vulnerabilities.
At the heart of this framework is a password-protected web application. This makes all stolen data available to operators through a graphical user interface with search capabilities to sift through the information.
“The application includes a list of several statistics, including the number of compromised hosts and the total number of each credential type successfully extracted from those hosts,” Talos said. “This web application allows users to see all compromised hosts. It also lists uptime for the application itself.”
The current version of NEXUS Listener is V3, indicating that the tool has gone through quite a few development iterations to reach its current stage.
Talos says it was able to retrieve data from unauthenticated NEXUS Listener instances, which included API keys related to Stripe, artificial intelligence platforms (OpenAI, Anthropic, NVIDIA NIM), and communications services (SendGrid and Brevo), as well as Telegram bot tokens, webhook secrets, GitHub and GitLab tokens, database connection strings, and other application secrets.
Large-scale data collection efforts highlight how attackers can use access to compromised hosts as a weapon to launch follow-up attacks. We recommend that organizations audit their environments to enforce the principle of least privilege, enable secret scanning, avoid reusing SSH key pairs, implement IMDSv2 enforcement on all AWS EC2 instances, and rotate credentials if a compromise is suspected.
“Beyond the immediate operational value of individual credentials, it represents a detailed map of a victim organization’s infrastructure, including what services it runs, how it is configured, what cloud providers it uses, and what third-party integrations it has in place,” the researchers said.
“This intelligence provides significant value for creating targeted follow-on attacks, social engineering campaigns, or selling access to other threat actors.”
Source link
