Cybersecurity researchers have uncovered a sophisticated campaign targeting **Next.js** applications vulnerable to the **React2Shell** exploit (CVE-2025-55182). The operation, attributed by **Cisco Talos** to a threat cluster tracked as UAT-10608, utilizes an automated framework named **NEXUS Listener** to harvest credentials and sensitive data from compromised systems. ### Widespread Compromise At least 766 hosts across various cloud providers and geographic locations have been compromised. The attackers are focused on collecting database credentials, **Amazon Web Services (AWS)** credentials, SSH private keys, API keys, cloud tokens, and environment secrets. ### NEXUS Listener: The Automated Harvesting Tool The **NEXUS Listener** framework automates the process of extracting and exfiltrating sensitive data. **Cisco Talos** gained access to an exposed instance of the framework, providing insight into its functionality and the scope of the data being harvested.  **The main panel of Nexus Listener** *Source: Cisco Talos* ### Attack Chain: From Vulnerability to Exfiltration The attack begins with automated scanning for vulnerable **Next.js** applications. Once a vulnerable target is identified, the **React2Shell** vulnerability is exploited to deploy a multi-phase credential-harvesting script into the standard temporary directory. Data stolen includes: * Environment variables and secrets (API keys, database credentials, GitHub/GitLab tokens) * SSH keys * Cloud credentials (**AWS**/GCP/Azure metadata, IAM credentials) * Kubernetes tokens * Docker/container information * Command history * Process and runtime data This sensitive information is then exfiltrated in chunks via HTTP requests over port 8080 to a command-and-control (C2) server running the **NEXUS Listener** component. The attackers gain a detailed view of the data, including search, filtering, and statistical analysis capabilities.  **Volume of secrets collected in the campaign** *Source: Cisco Talos* ### Impact and Recommendations The stolen credentials can enable attackers to perform cloud account takeovers, access databases, payment systems, and launch supply chain attacks. Compromised SSH keys facilitate lateral movement within compromised networks. **Cisco** emphasizes the potential regulatory consequences stemming from the exposure of personally identifiable information. To mitigate the risk, **Cisco Talos** recommends the following: * Apply security updates for **React2Shell**. * Audit server-side data exposure. * Immediately rotate all credentials if compromise is suspected. * Enforce **AWS** IMDSv2. * Replace any reused SSH keys. * Enable secret scanning. * Deploy WAF/RASP protections for **Next.js** applications. * Enforce least-privilege across containers and cloud roles. <a rel="noopener sponsored" href="https://hubs.li/Q048zztN0"><img src="https://www.bleepstatic.com/c/p/picus-whitepaper.jpg" data-src="https://www.bleepstatic.com/c/p/picus-whitepaper.jpg" alt="tines"></a> Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other. This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.