Hackers are working a large-scale marketing campaign to steal credentials in an automatic approach after exploiting React2Shell (CVE-2025-55182) in susceptible Subsequent.js apps.
At the least 766 hosts throughout numerous cloud suppliers and geographies have been compromised to gather database and AWS credentials, SSH non-public keys, API keys, cloud tokens, and setting secrets and techniques.
The operation makes use of a framework named NEXUS Listener and leverages automated scripts to extract and exfiltrate delicate knowledge from numerous functions.
Cisco Talos attributes the exercise to a risk cluster tracked as UAT-10608. The researchers gained entry to an uncovered NEXUS Listener occasion, permitting them to research the kind of knowledge harvested from compromised techniques and perceive how the online utility operates.
Supply: Cisco Talos
Automated secret harvesting
The assault begins with automated scanning for susceptible Subsequent.js apps, that are breached through the React2Shell vulnerability. A script that executes a multi-phase credential-harvesting routine is positioned in the usual short-term listing.
Based on Cisco Talos researchers, the information stolen this fashion contains:
- Surroundings variables and secrets and techniques (API keys, database credentials, GitHub/GitLab tokens)
- SSH keys
- Cloud credentials (AWS/GCP/Azure metadata, IAM credentials)
- Kubernetes tokens
- Docker/container info
- Command historical past
- Course of and runtime knowledge
Delicate knowledge is exfiltrated in chunks, every despatched through an HTTP request over port 8080 to a command-and-control (C2) server working the NEXUS Listener part. The attacker is then supplied with an in depth view of the information, together with search, filtering, and statistical insights.
“The applying incorporates a list of a number of statistics, together with the variety of hosts compromised and the whole variety of every credential kind that had been efficiently extracted from these hosts,” Cisco Talos says in a report this week.
“It additionally lists the uptime of the applying itself. On this case, the automated exploitation and harvesting framework was in a position to efficiently compromise 766 hosts inside a 24-hour interval.”
Supply: Cisco Talos
Protection suggestions
The stolen secrets and techniques enable attackers to carry out cloud account takeover and entry databases, cost techniques, and different companies, additionally opening the door to provide chain assaults. SSH keys might be used for lateral motion.
Cisco highlights that the compromised knowledge, together with personally identifiable particulars, additionally exposes victims to regulatory penalties from privateness legislation violations.
The researchers suggest that system directors apply the security updates for React2Shell, audit server-side knowledge publicity, and rotate all credentials instantly if there may be suspicion of a compromise.
Additionally, it is suggested to implement AWS IMDSv2 and exchange any reused SSH keys. They need to additionally allow secret scanning, deploy WAF/RASP protections for Subsequent.js, and implement least-privilege throughout containers and cloud roles to restrict affect.
Automated pentesting proves the trail exists. BAS proves whether or not your controls cease it. Most groups run one with out the opposite.
This whitepaper maps six validation surfaces, reveals the place protection ends, and offers practitioners with three diagnostic questions for any device analysis.
