Full Report
A large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at scale. Cisco Talos has attributed the operation to a threat cluster it tracks as
Analysis Summary
# Incident Report: Large-Scale Credential Harvesting via React2Shell (CVE-2025-55182)
## Executive Summary
A threat cluster identified as UAT-10608 is conducting a large-scale automated exploitation of the "React2Shell" vulnerability (CVE-2025-55182) targeting Next.js applications. The operation utilizes a specialized framework called "NEXUS Listener" to harvest an extensive array of sensitive credentials, cloud secrets, and infrastructure configurations from over 766 compromised hosts. The attack results in total infrastructure exposure, providing the actors with the necessary data for significant follow-on attacks or secondary access sales.
## Incident Details
- **Discovery Date:** April 02, 2026 (Report Publication)
- **Incident Date:** Ongoing / Active 2026
- **Affected Organization:** Multiple (766+ unique hosts)
- **Sector:** Cross-industry (Apps using React/Next.js)
- **Geography:** Global (Multiple geographic regions and cloud providers)
## Timeline of Events
### Initial Access
- **Date/Time:** Active campaign observed in early 2026.
- **Vector:** Remote Code Execution (RCE) via CVE-2025-55182.
- **Details:** Attackers exploit a CVSS 10.0 flaw in React Server Components and Next.js App Router to gain entry.
### Lateral Movement
- **Details:** While the report focuses on credential theft, the automated scripts query Kubernetes service account tokens, Docker configurations, and IAM role credentials to facilitate movement into cloud control planes and containerized environments.
### Data Exfiltration/Impact
- **Details:** Automated scripts extract environment variables, SSH keys, shell history, API keys (Stripe, OpenAI, GitHub), and cloud metadata. This data is posted to a centralized C2 server running the "NEXUS Listener" GUI.
### Detection & Response
- **Discovery:** Cisco Talos identified the activity through threat intelligence monitoring and unauthenticated access to a NEXUS Listener V3 instance.
- **Response Actions:** Public disclosure of the UAT-10608 cluster and release of mitigation strategies for impacted Next.js deployments.
## Attack Methodology
- **Initial Access:** Automated scanning (via Shodan/Censys) for vulnerable Next.js instances and exploitation of CVE-2025-55182.
- **Persistence:** Dropping the NEXUS Listener collection framework/multi-phase harvesting scripts.
- **Privilege Escalation:** Querying Instance Metadata Services (IMDS) for AWS, GCP, and Azure to obtain temporary IAM role credentials.
- **Defense Evasion:** Indiscriminate, rapid automated scanning and use of a centralized web-based C2 for data management.
- **Credential Access:** Harvesting `.bash_history`, environment variables, SSH private keys, and application-specific API tokens.
- **Discovery:** Automated enumeration of running processes, Docker configurations, and network mount points.
- **Lateral Movement:** Usage of stolen GitHub/GitLab tokens and Kubernetes tokens to move from the web app to the broader CI/CD and cloud infrastructure.
- **Collection:** Multi-phase scripts gather environment data and secrets into a structured format.
- **Exfiltration:** Data is exfiltrated via HTTP/HTTPS to a C2 hosting the NEXUS Listener V3 interface.
- **Impact:** Mass credential theft and infrastructure "mapping" for potential follow-on extortion or secondary breaches.
## Impact Assessment
- **Financial:** High potential risk due to compromised Stripe API keys and cloud service billing via stolen IAM credentials.
- **Data Breach:** Massive; loss of SSH keys, database connection strings, and internal configuration files across 700+ organizations.
- **Operational:** High; attackers gain enough information to replicate or shut down cloud environments and containerized services.
- **Reputational:** High for affected SaaS providers and organizations whose customer data may be accessed via the stolen keys.
## Indicators of Compromise
- **Network indicators:** C2 traffic to "NEXUS Listener" web applications (Specific IPs defanged: `[C2_ADDRESS_HERE]`).
- **File indicators:** Multi-phase harvesting scripts; presence of dropper files associated with UAT-10608.
- **Behavioral indicators:** Unusual queries to Instance Metadata Services (169.254.169.254); unexpected outbound traffic from Next.js web servers to unknown C2 IPs.
## Response Actions
- **Containment:** Patch Next.js applications to the latest version to close CVE-2025-55182.
- **Eradication:** Terminate unauthorized processes; delete harvesting scripts and NEXUS Listener droppers.
- **Recovery:** Rotate *all* credentials found in environment variables, including GitHub tokens, Stripe keys, and AWS IAM secrets.
## Lessons Learned
- **Patch Management:** Critical vulnerabilities in popular frameworks (Next.js) must be patched immediately as they are primary targets for automated botnets.
- **Secret Management:** Hardcoding secrets in environment variables or configuration files remains a high-risk practice; use dedicated vaults.
- **Cloud Security:** Failure to enforce IMDSv2 allows attackers to easily escalate privileges from a web exploit to cloud-wide access.
## Recommendations
- **Apply Security Patches:** Immediately update Next.js and React dependencies.
- **IMDSv2 Migration:** Enforce IMDSv2 on all AWS EC2 instances to prevent credential theft via SSRF/RCE.
- **Principle of Least Privilege:** Limit the permissions of service accounts used by web applications.
- **Secret Scanning:** Implement automated scanning (e.g., GitHub Secret Scanning) to detect and revoke leaked tokens.
- **SSH Hardening:** Disable SSH password authentication and ensure SSH keys are protected with passphrases; do not reuse keys across environments.