Large-Scale Credential Harvesting Operation Targets Vulnerable Next.js Applications
A significant credential harvesting operation has been detected exploiting the React2Shell vulnerability, marking a serious threat to numerous organizations. This operation aims to steal sensitive information, including database credentials, SSH private keys, AWS secrets, shell command histories, Stripe API keys, and GitHub tokens, from an estimated 766 compromised hosts across various geographical regions and cloud service providers.
Cisco Talos attributes this malicious activity to a threat cluster known as UAT-10608. According to security researchers Asheer Malhotra and Brandon White, after initial compromise, this group employs automated scripts to extract and exfiltrate credentials from a variety of applications. The harvested data is subsequently sent to a command-and-control (C2) server, where it can be accessed through a web-based graphical user interface named “NEXUS Listener.” This interface not only allows operators to view stolen information but also provides analytical insights through precompiled statistics on the credentials obtained and hosts affected.
The campaign is particularly focused on Next.js applications vulnerable to CVE-2025-55182, a critical flaw rated with a CVSS score of 10.0. By exploiting this vulnerability within React Server Components and the Next.js App Router, attackers gain initial access and deploy the NEXUS Listener framework. The framework uses a multi-phase harvesting script that gathers extensive data from the compromised systems, such as environment variables, SSH private keys, Docker configurations, API keys, and temporary AWS credentials.
The scale and indiscriminate nature of this attack suggest a methodical approach to identifying vulnerable Next.js deployments, potentially utilizing automated scanning services like Shodan or Censys. Central to the operation is the NEXUS Listener application, which is password-protected and enables operators to browse through stolen data with ease. Talos has noted that the current version of this application is V3, indicating ongoing development and enhancement.
Talos managed to gain access to an unauthenticated NEXUS Listener instance, revealing a wealth of sensitive data. Among the compromised information were API keys connected to various services, including Stripe, artificial intelligence platforms, and database connection strings. This extensive collection of credentials not only has immediate operational implications but also provides a detailed map of victim organizations’ infrastructures, identifying services in use and their configurations.
Given the operation’s extensive reach and sophisticated methods, businesses are urged to assess their cybersecurity posture thoroughly. Employing strategies such as enforcing the principle of least privilege, enabling secret scanning, implementing multi-factor authentication, and rotating credentials can help mitigate risks. The broader implications of this campaign are alarming, as the intelligence gained from the harvested data may fuel targeted follow-on attacks or social engineering campaigns.
In examining the tactics associated with this operation through the MITRE ATT&CK framework, methods such as initial access and credential dumping were evidently employed to facilitate the compromise. Organizations must remain vigilant against such evolving threats to protect sensitive data and ensure robust defenses against cyber intrusions.