Cisco Talos has disclosed a large-scale automated credential harvesting campaign carried out by a threat cluster they are tracking as “UAT-10608.” The systematic exploitation campaign leverages a custom framework called “NEXUS Listener” to target Next.js applications vulnerable to React2Shell (CVE-2025-55182), resulting in the compromise of at least 766 hosts within a 24-hour period.
Key Findings
The scope of this automated campaign is staggering:
- 766 hosts compromised in under 24 hours
- 91.5% of compromised hosts yielded database credentials
- 78.2% contained SSH private keys enabling lateral movement
- 25.6% exposed AWS credentials with potentially broad IAM permissions
- 11.4% had live Stripe API keys for payment processing
- 8.6% leaked GitHub tokens enabling supply chain attacks
Attack Methodology
UAT-10608 exploits CVE-2025-55182, broadly referred to as “React2Shell” — a pre-authentication remote code execution vulnerability in React Server Components (RSC). The attack requires no authentication and targets publicly accessible applications using vulnerable versions of Next.js.
Once initial access is achieved, the automated toolkit deploys multi-phase harvesting scripts that iterate through collection phases including:
- environ — Process environment variables
- ssh — SSH private keys and authorized_keys
- tokens — Pattern-matched credential strings
- cloud_meta — Cloud metadata APIs (AWS/GCP/Azure)
- k8s — Kubernetes service account tokens
- docker — Container configurations
The NEXUS Listener Framework
The core component of this operation is a web-based GUI that aggregates all stolen data, providing operators with:
- Precompiled statistics on credentials harvested and hosts compromised
- Search capabilities to sift through compromised data
- Per-host credential breakdowns organized by collection phase
The framework displays “v3” in its interface, indicating active development and iteration by the threat actors.
Why This Matters
Supply Chain Risk: Several hosts showed evidence of npm and pip registry credentials, enabling potential malicious package publication under legitimate maintainer identities.
Lateral Movement: The massive corpus of exposed SSH keys creates persistent access that survives application credential rotation — especially dangerous in organizations with shared key infrastructure.
Cloud Infrastructure Takeover: AWS keys with broad IAM permissions enable data exfiltration from S3, EC2 control plane operations, and lateral movement within AWS organizations.
Recommendations
- Audit Next.js applications for React2Shell vulnerability immediately
- Rotate all credentials if any overlap with victim profile is suspected
- Enforce IMDSv2 on all AWS EC2 instances to block unauthenticated metadata service abuse
- Segment SSH keys — avoid reusing key pairs across environments
- Deploy RASP or WAF rules tuned for Next.js-specific attack patterns
- Audit container environments for least-privilege access controls
Snort Rule: ID 65554 for CVE-2025-55182 (React2Shell)
Source: Cisco Talos
