A large-scale credential harvesting operation has been noticed exploiting the React2Shell vulnerability as an preliminary an infection vector to steal database credentials, SSH personal keys, Amazon Internet Companies (AWS) secrets and techniques, shell command historical past, Stripe API keys, and GitHub tokens at scale.
Cisco Talos has attributed the operation to a risk cluster it tracks as UAT-10608. At least 766 hosts spanning a number of geographic areas and cloud suppliers have been compromised as half of the exercise.
“Put up-compromise, UAT-10608 leverages automated scripts for extracting and exfiltrating credentials from a wide range of functions, which are then posted to its command-and-control (C2),” security researchers Asheer Malhotra and Brandon White stated in a report shared with The Hacker Information forward of publication.
“The C2 hosts a web-based graphical person interface (GUI) titled ‘NEXUS Listener’ that could be used to view stolen info and acquire analytical insights utilizing precompiled statistics on credentials harvested and hosts compromised.”
The marketing campaign is assessed to be focusing on Subsequent.js functions which are susceptible to CVE-2025-55182 (CVSS rating: 10.0), a crucial flaw in React Server Elements and Subsequent.js App Router that would end in distant code execution, for preliminary entry, after which dropping the NEXUS Listener assortment framework.
This is achieved by the use of a dropper that proceeds to deploy a multi-phase harvesting script that collects varied particulars from the compromised system –
- Atmosphere variables
- JSON-parsed surroundings from JS runtime
- SSH personal keys and authorized_keys
- Shell command historical past
- Kubernetes service account tokens
- Docker container configurations (operating containers, their photos, uncovered ports, community configurations, mount factors, and surroundings variables)
- API keys
- IAM role-associated non permanent credentials by querying the Occasion Metadata Service for AWS, Google Cloud, and Microsoft Azure
- Working processes
The cybersecurity firm stated the breadth of the sufferer set and the indiscriminate focusing on sample align with automated scanning, possible leveraging providers like Shodan, Censys, or customized scanners, to determine publicly reachable Subsequent.js deployments and probe them for the vulnerability.
Central to the framework is a password-protected net utility that makes all of the stolen knowledge accessible to the operator through a graphical person interface that options search capabilities to sift by the knowledge.
“The applying comprises an inventory of a number of statistics, together with the variety of hosts compromised and the whole variety of every credential sort that have been efficiently extracted from these hosts,” Talos stated. “The online utility permits a person to flick through the entire compromised hosts. It additionally lists the uptime of the applying itself.”
The present model of NEXUS Listener is V3, indicating that the software has undergone substantial growth iterations earlier than reaching the present stage.
Talos, which was in a position to acquire knowledge from an unauthenticated NEXUS Listener occasion, stated it contained API keys related to Stripe, synthetic intelligence platforms (OpenAI, Anthropic, and NVIDIA NIM), communication providers (SendGrid and Brevo), together with Telegram bot tokens, webhook secrets and techniques, GitHub and GitLab tokens, database connection strings, and different utility secrets and techniques.
The intensive knowledge gathering operation highlights how unhealthy actors might weaponize entry to compromised hosts to stage follow-on assaults. Organizations are suggested to audit their environments to implement the precept of least privilege, allow secret scanning, keep away from reusing SSH key pairs, implement IMDSv2 enforcement on all AWS EC2 cases, and rotate credentials if compromise is suspected.
“Past the fast operational worth of particular person credentials, the mixture dataset represents an in depth map of the sufferer organizations’ infrastructure: what providers they run, how they’re configured, what cloud suppliers they use, and what third-party integrations are in place,” the researchers stated.
“This intelligence has important worth for crafting focused follow-on assaults, social engineering campaigns, or promoting entry to different risk actors.”
