Uncovering the Cyber Threat: Hackers Targeting React2Shell in Sophisticated Credential Theft Scheme

A large-scale cyber campaign is underway, orchestrated by hackers to pilfer credentials through automated means by exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js applications.

Over 766 hosts spread across different cloud providers and regions have fallen victim to this attack, resulting in the collection of sensitive information such as database credentials, AWS keys, SSH private keys, API tokens, cloud tokens, and various environment secrets.

The campaign is orchestrated through a framework named NEXUS Listener, utilizing automated scripts to extract and transfer critical data from diverse applications.

The activity has been attributed to a threat cluster known as UAT-10608 by Cisco Talos researchers. By gaining access to an exposed NEXUS Listener instance, experts were able to analyze the harvested data from compromised systems and comprehend the functioning of the web application.

Automated secret harvesting

The attack commences with automated scanning for vulnerable Next.js applications, exploiting the React2Shell vulnerability. A script executing a multi-phase credential-harvesting routine is implanted in the standard temporary directory.

According to Cisco Talos researchers, the stolen data includes:

• Environment variables and secrets (API keys, database credentials, GitHub/GitLab tokens)
• SSH keys
• Cloud credentials (AWS/GCP/Azure metadata, IAM credentials)
• Kubernetes tokens
• Docker/container information
• Command history
• Process and runtime data

The exfiltration of sensitive data occurs in chunks, each transmitted via an HTTP request over port 8080 to a command-and-control (C2) server hosting the NEXUS Listener component. This provides the attacker with a comprehensive insight into the data, including search, filtering, and statistical analysis.

“The application displays several statistics, including the number of compromised hosts and the total count of each type of credential successfully extracted from those hosts,” as stated in a report by Cisco Talos this week.

“It also indicates the application’s uptime. In this instance, the automated exploitation and harvesting framework managed to compromise 766 hosts within a 24-hour timeframe.”

Defense recommendations

The stolen secrets grant hackers the ability to take over cloud accounts, access databases, payment systems, and other services, potentially leading to supply chain attacks. SSH keys could facilitate lateral movement.

Cisco emphasizes that the compromised data, including personally identifiable information, exposes victims to regulatory repercussions due to privacy law infringements.

The researchers advise system administrators to apply security patches for React2Shell, scrutinize server-side data exposure, and promptly rotate all credentials if there are suspicions of a compromise.

Moreover, deploying AWS IMDSv2, replacing reused SSH keys, enabling secret scanning, implementing WAF/RASP protections for Next.js, and enforcing least-privilege across containers and cloud roles are recommended to mitigate the impact of such attacks.

Automated pentesting confirms the existence of vulnerabilities. BAS verifies if your controls can thwart them. Many teams focus on one without considering the other.

This whitepaper delineates six validation surfaces, identifies gaps in coverage, and furnishes practitioners with three key questions for evaluating any tool.

Get Your Copy Now