React2Shell Exploited in Large-Scale Credential Harvesting Campaign

Summary

A threat actor tracked as UAT-10608 is exploiting CVE-2025-55182 (React2Shell), a critical React vulnerability in Next.js applications, to compromise over 766 systems and exfiltrate sensitive credentials, API keys, and tokens. The attackers use automated scanning tools and the Nexus Listener framework to harvest SSH keys, cloud credentials, GitHub tokens, Kubernetes service accounts, and other secrets at scale. An exposed Nexus Listener instance revealed the theft of over 10,000 files including AWS keys, payment processor credentials, and authentication tokens within 24 hours.

Full text

A threat actor has been exploiting vulnerable Next.js applications to compromise systems and exfiltrate credentials at scale, Cisco’s Talos security researchers warn. Tracked as UAT-10608, the threat actor relies on automated scanning to identify applications impacted by CVE-2025-55182 (CVSS score of 10), a critical React vulnerability that allows remote, unauthenticated attackers to execute arbitrary code, and which is tracked as React2Shell by the cybersecurity community. Following initial access, the attackers leverage automated scripts and the Nexus Listener framework to harvest credentials, cloud tokens, SSH keys, and environment secrets at scale. According to Talos, at least 766 systems have been compromised, and more than 10,000 files have been collected as part of the campaign. “The breadth of the victim set and the indiscriminate targeting pattern is consistent with automated scanning — likely based on host profile data from services like Shodan, Censys, or custom scanners to enumerate publicly reachable Next.js deployments and probe them for the described React configuration vulnerabilities,” Talos notes. UAT-10608 has been targeting public-facing web applications vulnerable to React2Shell to deliver a crafted payload via an HTTP request and execute arbitrary code on the server-side Node.js process.Advertisement. Scroll to continue reading. The attackers rely on an automated script for multi-phased data collection, iterating through running processes, JavaScript runtime, SSH, shell command history, tokens, cloud metadata APIs, Kubernetes service accounts, container configurations, and running process command lines. The exfiltrated data is sent to the attackers’ command-and-control (C&C) server, where it is made available through the Nexus Listener web application. Talos identified a Nexus Listener instance that was left exposed and was able to peek into the application’s inner workings and exfiltrated data. The instance revealed the successful compromise of 766 hosts within 24 hours. The stolen information includes keys for AI platforms, payment processors, AWS, and communication platforms, as well as GitHub tokens, database connection secrets, Auth tokens, passwords, and more. SSH private keys, cloud credentials, Kubernetes service account tokens, Docker container variables, and shell command history files were also found on the exposed Nexus Listener instance. All the exposed credentials, keys, tokens, and secrets in the dataset should be considered compromised and rotated, as they could lead to further compromise, including supply chain attacks, lateral movement, and compliance issues. Related: Thousands of Magento Sites Hit in Ongoing Defacement Campaign Related: Threat Actor Targeting VPN Users in New Credential Theft Campaign Related: Hundreds of Salesforce Customers Allegedly Targeted in New Data Theft Campaign Related: Cloned AI Tool Sites Distribute Malware in ‘InstallFix’ Campaign Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Mercor Hit by LiteLLM Supply Chain AttackSophisticated CrystalX RAT EmergesLinx Security Raises $50 Million for Identity Security and GovernanceDepthfirst Raises $80 Million in Series B FundingNew DeepLoad Malware Dropped in ClickFix AttacksUS Charges Uranium Crypto Exchange HackerAxios NPM Package Breached in North Korean Supply Chain AttackTeamPCP Moves From OSS to AWS Environments Latest News Mobile Attack Surface Expands as Enterprises Lose ControlT-Mobile Sets the Record Straight on Latest Data Breach FilingNorth Korean Hackers Drain $285 Million From Drift in 10 SecondsCritical Vulnerability in Claude Code Emerges Days After Source LeakApple Rolls Out DarkSword Exploit Protection to More DevicesCybersecurity M&A Roundup: 38 Deals Announced in March 2026Cisco Patches Critical and High-Severity Vulnerabilities250,000 Affected by Data Breach at Nacogdoches Memorial Hospital Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveJoe Sullivan has been appointed Strategic Advisor at cloud security firm Upwind.Dragos has appointed Kaori Nieda as Country Manager in Japan.Moderna has promoted Farzan Karimi to Deputy Chief Information Security Officer.More People On The MoveExpert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2025-55182
• malware — React2Shell
• malware — Nexus Listener

Entities