A large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at scale.
Cisco Talos has attributed the operation to a threat cluster it tracks as UAT-10608. At least 766 hosts spanning multiple geographic regions and cloud providers have been compromised as part of the activity.
"Post-compromise, UAT-10608 leverages automated scripts for extracting and exfiltrating credentials from a variety of applications, that are then posted to its command-and-control (C2)," security researchers Asheer Malhotra and Brandon White said in a report shared with The Hacker News ahead of publication.
"The C2 hosts a web-based graphical user interface (GUI) titled 'NEXUS Listener' that can be used to view stolen information and gain analytical insights using precompiled statistics on credentials harvested and hosts compromised."
The campaign is assessed to be targeting Next.js applications that are vulnerable to CVE-2025-55182 (CVSS score: 10.0), a critical flaw in React Server Components and Next.js App Router that could result in remote code execution, for initial access, and then dropping the NEXUS Listener collection framework.
This is accomplished by means of a dropper that proceeds to deploy a multi-phase harvesting script that collects various details from the compromised system -
- Environment variables
- JSON-parsed environment from JS runtime
- SSH private keys and authorized_keys
- Shell command history
- Kubernetes service account tokens
- Docker container configurations (running containers, their images, exposed ports, network configurations, mount points, and environment variables)
- API keys
- IAM role-associated temporary credentials by querying the Instance Metadata Service for AWS, Google Cloud, and Microsoft Azure
- Running processes
The cybersecurity company said the breadth of the victim set and the indiscriminate targeting pattern align with automated scanning, likely leveraging services like Shodan, Censys, or custom scanners, to identify publicly reachable Next.js deployments and probe them for the vulnerability.
Central to the framework is a password-protected web application that makes all the stolen data available to the operator via a graphical user interface that features search capabilities to sift through the information.
"The application contains a listing of several statistics, including the number of hosts compromised and the total number of each credential type that were successfully extracted from those hosts," Talos said. "The web application allows a user to browse through all of the compromised hosts. It also lists the uptime of the application itself."
The current version of NEXUS Listener is V3, indicating that the tool has undergone substantial development iterations before reaching the current stage.
Talos, which was able to obtain data from an unauthenticated NEXUS Listener instance, said it contained API keys associated with Stripe, artificial intelligence platforms (OpenAI, Anthropic, and NVIDIA NIM), communication services (SendGrid and Brevo), along with Telegram bot tokens, webhook secrets, GitHub and GitLab tokens, database connection strings, and other application secrets.
The extensive data gathering operation highlights how bad actors could weaponize access to compromised hosts to stage follow-on attacks. Organizations are advised to audit their environments to enforce the principle of least privilege, enable secret scanning, avoid reusing SSH key pairs, implement IMDSv2 enforcement on all AWS EC2 instances, and rotate credentials if compromise is suspected.
"Beyond the immediate operational value of individual credentials, the aggregate dataset represents a detailed map of the victim organizations' infrastructure: what services they run, how they're configured, what cloud providers they use, and what third-party integrations are in place," the researchers said.
"This intelligence has significant value for crafting targeted follow-on attacks, social engineering campaigns, or selling access to other threat actors."
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.