React2Shell Exploited in Mass Credential Harvesting Campaign Targeting 700+ Hosts

by | Apr 3, 2026 | News

React2Shell Exploited in Mass Credential Harvesting Campaign Targeting 700+ Hosts

Post Views: 30




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

React2Shell Vulnerability Exploited in Large-Scale Credential Harvesting Campaign

Cybersecurity researchers have uncovered a widespread credential harvesting operation exploiting the React2Shell vulnerability to compromise systems and extract sensitive data at scale.

The campaign, attributed by Cisco Talos to a threat cluster tracked as UAT-10608, has resulted in the compromise of at least 766 hosts across multiple regions and cloud environments. The attackers are leveraging the vulnerability to gain initial access and deploy a sophisticated data collection framework.

Targeting Next.js Applications for Initial Access

The operation primarily targets Next.js applications vulnerable to CVE-2025-55182, a critical flaw in React Server Components and Next.js App Router that enables remote code execution.

Researchers believe the attackers are using automated scanning techniques to identify exposed systems, likely relying on services such as Shodan, Censys, or custom-built scanners to locate vulnerable deployments.

Once a target is identified, the attackers deploy a dropper that initiates a multi-stage infection chain.

Multi-Stage Malware Deploys NEXUS Listener Framework

Following successful exploitation, the attackers deploy a collection framework known as NEXUS Listener, currently observed in its third iteration.

The malware uses automated scripts to systematically harvest sensitive data from compromised systems. This includes:

  • Environment variables and runtime configurations
  • SSH private keys and authorized_keys files
  • Shell command history
  • Kubernetes service account tokens
  • Docker configurations and container details
  • API keys and authentication tokens
  • Cloud credentials from AWS, Google Cloud, and Microsoft Azure
  • Running processes and system metadata

The breadth of data collection highlights a clear objective: to gather as much intelligence as possible about the compromised environment.

NEXUS Listener victims list.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses



Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Cloud Metadata Services Abused to Extract Credentials

A notable aspect of the campaign is the abuse of cloud instance metadata services to extract temporary credentials.

The malware queries metadata endpoints associated with AWS, Azure, and Google Cloud, allowing attackers to obtain IAM role-based credentials without requiring direct access to secrets stored in code.

This technique enables attackers to expand their reach beyond the initial compromised host and pivot deeper into cloud environments.

Stolen Data Aggregated in Web-Based Control Panel

All harvested data is transmitted to a centralized command-and-control system featuring a web-based interface called NEXUS Listener GUI.

The platform provides attackers with:

  • Searchable access to stolen credentials
  • Statistical insights on compromised hosts
  • Categorization of extracted data
  • Real-time monitoring of campaign activity

Researchers who accessed an exposed instance of the platform found a wide range of sensitive data, including Stripe API keys, GitHub and GitLab tokens, Telegram bot credentials, webhook secrets, database connection strings, and keys for AI platforms such as OpenAI and Anthropic.

Automated and Indiscriminate Targeting Strategy

The scale and diversity of victims suggest the campaign is largely automated, with attackers scanning for any publicly accessible vulnerable systems rather than targeting specific organizations.

This opportunistic approach allows threat actors to rapidly expand their footprint while collecting a broad dataset of credentials and infrastructure information.

Stolen Data Enables Follow-On Attacks

Beyond immediate credential theft, the collected data provides attackers with a detailed blueprint of victim environments.

This includes insights into:

  • Infrastructure architecture
  • Cloud provider usage
  • Third-party integrations
  • Security configurations

Such information can be leveraged to conduct follow-on attacks, including lateral movement, targeted phishing campaigns, or selling access to other threat actors.

Trending: Network Eavesdropping via Man-in-the-Middle on Internal Communications




Trending: Offensive Security Tool: CF GeoBypasser Cyberpunk Framework

Mitigation and Defensive Measures

Organizations are urged to take immediate action to mitigate the risks associated with this campaign. Recommended steps include:

  • Patching vulnerable React and Next.js applications
  • Rotating all potentially exposed credentials
  • Enforcing least privilege access controls
  • Enabling secret scanning across repositories
  • Avoiding reuse of SSH keys
  • Enforcing IMDSv2 on AWS instances

Trending: EvilTokens Phishing Service Fuels Large-Scale Microsoft 365 Account Takeover Campaign

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Sources: thehackernews.com, blog.talosintelligence.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This