React2Shell Exploited in Large-Scale Credential Harvesting Campaign

A threat actor has been exploiting vulnerable Next.js applications to compromise systems and exfiltrate credentials at scale, Cisco’s Talos security researchers warn. Tracked as UAT-10608, the threat actor relies on automated scanning to identify applications impacted by CVE-2025-55182 (CVSS score of 10), a critical React vulnerability that allows remote, unauthenticated attackers to execute arbitrary code, and which is tracked as React2Shell by the cybersecurity community. Following initial access, the attackers leverage automated scripts and the Nexus Listener framework to harvest credentials, cloud tokens, SSH keys, and environment secrets at scale. According to Talos, at least 766 systems have been compromised, and more than 10,000 files have been collected as part of the campaign. “The breadth of the victim set and the indiscriminate targeting pattern is consistent with automated scanning — likely based on host profile data from services like Shodan, Censys, or custom scanners to enumerate publicly reachable Next.js deployments and probe them for the described React configuration vulnerabilities,” Talos notes. UAT-10608 has been targeting public-facing web applications vulnerable to React2Shell to deliver a crafted payload via an HTTP request and execute arbitrary code on the server-side Node.js process. The attackers rely on an automated script for multi-phased data collection, iterating through running processes, JavaScript runtime, SSH, shell command history, tokens, cloud metadata APIs, Kubernetes service accounts, container configurations, and running process command lines. The exfiltrated data is sent to the attackers’ command-and-control (C&C) server, where it is made available through the Nexus Listener web application. Talos identified a Nexus Listener instance that was left exposed and was able to peek into the application’s inner workings and exfiltrated data. The instance revealed the successful compromise of 766 hosts within 24 hours. The stolen information includes keys for AI platforms, payment processors, AWS, and communication platforms, as well as GitHub tokens, database connection secrets, Auth tokens, passwords, and more. SSH private keys, cloud credentials, Kubernetes service account tokens, Docker container variables, and shell command history files were also found on the exposed Nexus Listener instance. All the exposed credentials, keys, tokens, and secrets in the dataset should be considered compromised and rotated, as they could lead to further compromise, including supply chain attacks, lateral movement, and compliance issues. Related: Thousands of Magento Sites Hit in Ongoing Defacement Campaign Related: Threat Actor Targeting VPN Users in New Credential Theft Campaign Related: Hundreds of Salesforce Customers Allegedly Targeted in New Data Theft Campaign Related: Cloned AI Tool Sites Distribute Malware in ‘InstallFix’ Campaign WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire 250,000 Affected by Data Breach at Nacogdoches Memorial Hospital Mercor Hit by LiteLLM Supply Chain Attack Sophisticated CrystalX RAT Emerges Linx Security Raises $50 Million for Identity Security and Governance Depthfirst Raises $80 Million in Series B Funding New DeepLoad Malware Dropped in ClickFix Attacks US Charges Uranium Crypto Exchange Hacker Axios NPM Package Breached in North Korean Supply Chain Attack Latest News Critical ShareFile Flaws Lead to Unauthenticated RCE Mobile Attack Surface Expands as Enterprises Lose Control T-Mobile Sets the Record Straight on Latest Data Breach Filing North Korean Hackers Drain $285 Million From Drift in 10 Seconds Critical Vulnerability in Claude Code Emerges Days After Source Leak Apple Rolls Out DarkSword Exploit Protection to More Devices Cybersecurity M&A Roundup: 38 Deals Announced in March 2026 Cisco Patches Critical and High-Severity Vulnerabilities Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move Joe Sullivan has been appointed Strategic Advisor at cloud security firm Upwind. Dragos has appointed Kaori Nieda as Country Manager in Japan. Moderna has promoted Farzan Karimi to Deputy Chief Information Security Officer. More People On The Move Expert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Email