### React2Shell Exploitation Leads to Mass Credential Theft Security researchers at **Cisco Talos** have uncovered a significant credential harvesting operation leveraging the React2Shell vulnerability. This vulnerability serves as the initial infection vector, enabling attackers to steal database credentials, SSH private keys, **Amazon Web Services (AWS)** secrets, shell command history, Stripe API keys, and **GitHub** tokens on a massive scale. ### UAT-10608: The Threat Actor Behind the Campaign **Cisco Talos** has attributed this campaign to a threat cluster they are tracking as **UAT-10608**. The scale of the operation is considerable, with at least 766 hosts compromised across various geographic regions and cloud providers. "Post-compromise, UAT-10608 leverages automated scripts for extracting and exfiltrating credentials from a variety of applications, that are then posted to its command-and-control (C2)," security researchers Asheer Malhotra and Brandon White stated in their report. ### NEXUS Listener: The C2 Framework The attackers utilize a command-and-control (C2) infrastructure that hosts a web-based graphical user interface (GUI) called 'NEXUS Listener.' This interface allows the threat actors to view stolen information and gain analytical insights using precompiled statistics on harvested credentials and compromised hosts. ### Targeting Next.js Applications The campaign primarily targets **Next.js** applications vulnerable to **CVE-2025-55182**, a critical flaw in React Server Components and **Next.js** App Router. This vulnerability, with a CVSS score of 10.0, allows for remote code execution, facilitating the deployment of the NEXUS Listener collection framework. The attack chain involves a dropper that deploys a multi-phase harvesting script to collect sensitive information from compromised systems, including: * Environment variables * JSON-parsed environment from JS runtime * SSH private keys and authorized_keys * Shell command history * Kubernetes service account tokens * Docker container configurations * API keys * IAM role-associated temporary credentials from **AWS**, **Google Cloud**, and **Microsoft Azure** * Running processes ### Automated Scanning and Indiscriminate Targeting The breadth of the victim set suggests the use of automated scanning techniques, potentially leveraging services like **Shodan**, **Censys**, or custom scanners, to identify publicly reachable **Next.js** deployments vulnerable to exploitation. ### NEXUS Listener's Capabilities The core of the framework is a password-protected web application, making the stolen data accessible to the operator through a GUI with search capabilities. "The application contains a listing of several statistics, including the number of hosts compromised and the total number of each credential type that were successfully extracted from those hosts," **Talos** explained. "The web application allows a user to browse through all of the compromised hosts. It also lists the uptime of the application itself." The current version of NEXUS Listener is V3, indicating significant development iterations. ### Sensitive Data Exposed **Talos** researchers, after accessing an unauthenticated NEXUS Listener instance, discovered API keys associated with **Stripe**, AI platforms like **OpenAI**, **Anthropic**, and **NVIDIA NIM**, communication services like **SendGrid** and **Brevo**, along with **Telegram** bot tokens, webhook secrets, **GitHub** and **GitLab** tokens, database connection strings, and other application secrets. ### Mitigation and Recommendations This extensive data gathering operation underscores the potential for attackers to weaponize compromised hosts for follow-on attacks. Organizations are advised to: * Audit environments to enforce the principle of least privilege. * Enable secret scanning. * Avoid reusing SSH key pairs. * Implement IMDSv2 enforcement on all **AWS EC2** instances. * Rotate credentials if compromise is suspected. ### The Bigger Picture "Beyond the immediate operational value of individual credentials, the aggregate dataset represents a detailed map of the victim organizations' infrastructure: what services they run, how they're configured, what cloud providers they use, and what third-party integrations are in place," the researchers noted. This intelligence is invaluable for crafting targeted follow-on attacks, social engineering campaigns, or selling access to other threat actors.