Hackers are actively running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps.
Moreover, attackers continue to scale operations rapidly, increasing both reach and efficiency.
At least 766 hosts across various cloud providers and geographies have already been compromised to collect database credentials, AWS credentials, SSH private keys, API keys, cloud tokens, and environment secrets.
Specifically, the operation uses a framework named NEXUS Listener and leverages automated scripts to extract and exfiltrate sensitive data from various applications.
The main panel of Nexus Listener
Source: Cisco Talos
Meanwhile, Cisco Talos attributes the activity to a threat cluster tracked as UAT-10608. The researchers gained access to an exposed NEXUS Listener instance, allowing them to analyze the type of data harvested from compromised systems and understand how the web application operates.
Attack Chain: From Scanning to Credential Harvesting
Initially, the attack begins with automated scanning for vulnerable Next.js apps, which attackers breach via the React2Shell vulnerability. Then, they place a script in the standard temporary directory that executes a multi-phase credential-harvesting routine.
According to Cisco Talos researchers, the data stolen this way includes:
- Environment variables and secrets (API keys, database credentials, GitHub/GitLab tokens)
- SSH keys
- Cloud credentials (AWS/GCP/Azure metadata, IAM credentials)
- Kubernetes tokens
- Docker/container information
- Command history
- Process and runtime data
Stealthy Exfiltration via C2 Infrastructure
Next, attackers exfiltrate sensitive data in chunks, sending each piece via an HTTP request over port 8080 to a command-and-control (C2) server running the NEXUS Listener component.
As a result, the attacker gains a detailed view of the data, including search, filtering, and statistical insights.
“The application contains a listing of several statistics, including the number of hosts compromised and the total number of each credential type that were successfully extracted from those hosts,” Cisco Talos says in a report.
“It also lists the uptime of the application itself. In this case, the automated exploitation and harvesting framework was able to successfully compromise 766 hosts within a 24-hour period.”
Volume of secrets collected in the campaign
Source: Cisco Talos
Impact: Cloud Takeover and Supply Chain Risks
Consequently, the stolen secrets allow attackers to perform cloud account takeover and access databases, payment systems, and other services, opening the door to supply chain attacks. Additionally, attackers can use SSH keys for lateral movement across environments.
Cisco highlights that the compromised data, including personally identifiable information (PII), also exposes victims to regulatory consequences from privacy law violations.
Therefore, researchers recommend that system administrators apply the security updates for React2Shell, audit server-side data exposure, and rotate all credentials immediately if they suspect a compromise.
Furthermore, teams should enforce AWS IMDSv2 and replace any reused SSH keys. They should also enable secret scanning, deploy WAF/RASP protections for Next.js, and enforce least-privilege access across containers and cloud roles to limit impact.
Source: BleepingComputer, Bill Toulas
Read more at Impreza News
