A large-scale cyberattack campaign is targeting vulnerable Next.js apps by exploiting a critical flaw known as React2Shell (CVE-2025-55182), allowing hackers to automate the theft of sensitive credentials from cloud environments.
Cisco Talos researchers say that at least 766 systems spanning multiple cloud providers and geographic regions have already been compromised, exposing a wide range of confidential data including database credentials, AWS keys, SSH private keys, API tokens, and environment secrets.
The operation leverages a framework called ‘NEXUS Listener’ and uses automated scripts designed to infiltrate systems and extract valuable information. Talos researchers were able to gain access to an exposed instance of the NEXUS Listener infrastructure, which allowed them to take a deeper look into the attack chain. The activity has been attributed to the UAT-10608 threat cluster.
Once gaining access, attackers deploy a script into a system’s temporary directory, initiating a multi-stage process to harvest credentials and system data. The stolen information includes environment variables such as API keys and database credentials, SSH keys, cloud service credentials from providers like AWS, GCP, and Azure, Kubernetes tokens, container data, command histories, and runtime process details. The data is then exfiltrated in segments via HTTP requests over port 8080 to a command-and-control server running the NEXUS Listener component.
The centralized interface provided by NEXUS Listener allows attackers to efficiently manage and analyze stolen data, offering features such as search, filtering, and statistical summaries of compromised hosts and extracted credentials.
Organizations are strongly recommended to apply patches for the React2Shell vulnerability and conduct thorough audits to ensure that server-side data is not exposed. In cases where compromise is suspected, all credentials should be rotated ASAP. Additional recommendations include enforcing AWS IMDSv2, replacing reused SSH keys, enabling secret-scanning tools, deploying web application and runtime protection solutions, and adopting strict least-privilege policies across cloud and container environments to minimize potential damage.