Full Report
Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps. [...]
Analysis Summary
# Incident Report: Large-Scale Credential Harvesting via React2Shell (CVE-2025-55182)
## Executive Summary
A large-scale automated campaign, attributed to threat actor UAT-10608, is exploiting the React2Shell vulnerability (CVE-2025-55182) in Next.js applications. The attack utilizes a custom framework called "NEXUS Listener" to rapidly extract environment secrets, cloud credentials, and SSH keys. The campaign successfully compromised 766 hosts within a single 24-hour period, posing a severe risk of cloud account takeovers and supply chain compromises.
## Incident Details
- **Discovery Date:** April 2026 (Reported April 5, 2026)
- **Incident Date:** Ongoing (Active throughput of 700+ hosts per day)
- **Affected Organization:** Multiple (766+ victims identified)
- **Sector:** Cross-sector (Targeting Next.js web applications)
- **Geography:** Global (Various cloud providers and regions)
## Timeline of Events
### Initial Access
- **Date/Time:** April 2026
- **Vector:** Automated scanning and exploitation of CVE-2025-55182.
- **Details:** Attackers target Next.js applications vulnerable to React2Shell, allowing for remote JavaScript code execution.
### Lateral Movement
- **Mechanism:** While the report focuses on the initial harvest, the extraction of SSH private keys and Kubernetes tokens provides the necessary materials for lateral movement within internal networks and cloud environments.
### Data Exfiltration/Impact
- **Details:** Automated scripts upload sensitive data in chunks to a C2 server via port 8080. Data includes AWS/GCP/Azure credentials, SSH keys, API tokens, and environment variables.
### Detection & Response
- **Discovery:** Cisco Talos discovered and accessed an exposed instance of the "NEXUS Listener" C2 framework.
- **Response actions taken:** Threat intelligence public disclosure by Cisco Talos; recommendations for patching and credential rotation issued to the community.
## Attack Methodology
- **Initial Access:** Exploitation of CVE-2025-55182 (React2Shell).
- **Persistence:** Script deployment in standard temporary directories (`/tmp`).
- **Privilege Escalation:** Not explicitly detailed, but leverages application-level permissions to access environment variables and metadata services.
- **Defense Evasion:** Automated extraction scripts; use of temporary directories.
- **Credential Access:** Harvesting of `.env` files, shell history, and cloud provider metadata services (IMDS).
- **Discovery:** Automated scanning for vulnerable Next.js instances; process and runtime data collection.
- **Lateral Movement:** Potential via stolen SSH keys and cloud IAM roles.
- **Collection:** Multi-phase harvesting routine targeting secrets, Docker info, and command history.
- **Exfiltration:** Data sent in chunks via HTTP requests to port 8080.
- **Impact:** Credential theft leading to potential account takeover and supply chain attacks.
## Impact Assessment
- **Financial:** High (Cost of remediation, potential fraud from stolen payment system keys).
- **Data Breach:** Critical (SSH keys, AWS/GCP/Azure secrets, DB credentials, and PII).
- **Operational:** Business disruption from required secret rotation and potential service shutdowns for patching.
- **Reputational:** High (Exposure to regulatory consequences under privacy laws).
## Indicators of Compromise
- **Network indicators:**
- C2 Communication: `[C2_IP_ADDRESS]:8080` (Defanged)
- Automated scanning for Next.js endpoints.
- **File indicators:**
- Malicious scripts located in `/tmp` directories.
- **Behavioral indicators:**
- Unexpected HTTP POST requests to external IPs on port 8080.
- Rapid sequence of reads across sensitive files like `.bash_history`, `/root/.ssh/id_rsa`, and `.env`.
## Response Actions
- **Containment:** Identify and isolate affected Next.js instances.
- **Eradication:** Apply security updates for React2Shell (CVE-2025-55182); delete malicious scripts in `/tmp`.
- **Recovery:** Full rotation of all secrets, API keys, and SSH keys; enforcement of AWS IMDSv2.
## Lessons Learned
- **Key takeaways:** Automated exploitation allows attackers to achieve massive scale in under 24 hours. Vulnerabilities in popular frameworks like Next.js have a high "blast radius."
- **What could have been done better:** Earlier adoption of IMDSv2 would have prevented the theft of cloud metadata credentials, even after the initial shell was gained.
## Recommendations
- **Patch Management:** Immediately update Next.js applications to the latest secure version.
- **Secret Management:** Implement automated secret scanning to detect exposed keys in repositories and environments.
- **Cloud Security:** Enforce AWS IMDSv2 to prevent metadata service credential theft.
- **Runtime Security:** Deploy Web Application Firewalls (WAF) or Runtime Application Self-Protection (RASP) specifically tuned for Next.js vulnerabilities.
- **Access Control:** Enforce least-privilege principles for containerized environments and cloud service roles.