A large number of harvesting operations have been observed exploiting the React2Shell vulnerability as the primary attack vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens in bulk.
Cisco Talos said the move is due to a threat group it is tracking UAT-10608. At least 766 hosts from multiple locations and cloud providers have been disrupted as part of the operation.
“Post-compromise, UAT-10608 leverages automated scripts for extracting and exfiltrating credentials from various applications, that then be posted to its command-and-control (C2),” security researchers Asheer Malhotra and Brandon White said in a report shared with The Hacker News before publication.
“C2 provides a web-based graphical user interface (GUI) titled ‘NEXUS Listener’ that can be used to view stolen data and obtain diagnostic information using pre-generated statistics on harvested evidence and compromised hosts.”
This campaign is being evaluated to target Next.js applications that are vulnerable to CVE-2025-55182 (CVSS details: 10.0), a critical flaw in React Server Components and Next.js App Router that could result in remote code execution, for initial access, and then bring down the NEXUS Listener collection framework.
This is achieved through a step-by-step process to install a multi-stage harvesting script that collects various data from the compromised system –
- Environmental diversity
- A structured JSON environment from the JS runtime
- SSH private keys and authorized_keys
- Shell command history
- Kubernetes service account tokens
- Docker container settings (running containers, their images, exposed ports, network configuration, mount locations and environment variables)
- API keys
- Temporary data related to IAM by querying the Instance Metadata Service for AWS, Google Cloud, and Microsoft Azure.
- Running patterns
The cybersecurity company said that the scope of the victims and the indiscriminate method of targeting are compatible with automatic scanning, services that can help you such as Shodan, Censys, or custom scanners, to determine how people can reach Next.js and investigate the vulnerability.
At the heart of the plan is a password-protected web application that makes all stolen data available to the operator in a clear user interface with the ability to search and filter information.
“The application contains a list of several statistics, including the number of compromised recipients and the total number of each type of certificate that was successfully issued to those recipients,” Talos said. “The web application allows the user to read through all the damaged hosts. It also lists the usage time itself.”
The current version of NEXUS Listener is V3, which indicates that the tool has undergone significant development changes before reaching the current platform.
Talos, which was able to obtain data from an unverified instance of NEXUS Listener, says it has API keys related to Stripe, artificial intelligence platforms (OpenAI, Anthropic, and NVIDIA NIM), communication services (SendGrid and Brevo), as well as Telegram bot tokens, webhook secrets, other GitLa connections and databases.
The extensive data collection process highlights how bad actors can use access to vulnerable hosts to target subsequent attacks. Organizations are advised to monitor their environment to ensure the principle of least access, to enable private scanning, to avoid using SSH key pairs, to implement IMDSv2 implementation in all AWS EC2 instances, and to change data if there is a suspicion of interference.
“Besides the performance value of the individual operations, the aggregated data represents a clear map of the infrastructure of the victims’ organizations: what services they run, how they are configured, which cloud providers they use, and which third-party connections,” the researchers said.
“This intelligence has great value for creating targeted attacks, social engineering campaigns, or selling access to other actors.”
#Hackers #CVE202555182 #Exploit #Next.js #Hosts #Steal #Data