A powerful automated operation is taking advantage of a vulnerability in Next.js applications to start a massive theft of credentials that, according to researchers, has already compromised hundreds of servers in the cloud. The exploited vector is known as React2Shell (CVE-2025-55182) and, once the attacker gets access, unfolds scripts that show and exfilter secrets, keys and credentials systematically.
The technical details and campaign follow-up have been documented by Cisco Talos analysts, who attribute the operation to a cluster of threats identified as UAT-10608. In their research the experts were able to access an exposed body of the control component called NEXUS Listar, which allowed them to observe live information that the intruders were collecting and how they presented it: an interface that groups and facilitates the search, filtering and statistics of the secrets removed. Talos report can be consulted to expand the findings and see panel catches: Cisco Talos - Inside a large-scale automated credential-harvesting operation.
The modus operandi described by the researchers starts with automated scans looking for vulnerable Next.js. After exploiting React2Shell, the attacker drops a script into a temporary directory that runs a multi-phase routine to extract sensitive secrets and files. This material is packed in fragments and sent by HTTP to the command and control server - the NEXUS Listar - typically through port 8080, where it is indexed and available for analysis by malicious operators.
The magnitude of the incident is striking: Talos reported that the operating infrastructure was able to compromise at least 766 hosts within 24 hours. Among the elements that the attackers collected are environment variables and application secrets (API keys, database credentials, GitHub / GitLab tokens), private SSH keys, cloud credentials (AWS / GCP / Azure's AMI metadata and credentials), Kubernetes tokens, container and Docker information, command histories and process data in progress.
The risk is not limited to the timely loss of secrets. With these elements an attacker can perform cloud account-taking, access to databases and payment systems, move laterally using SSH keys or launch supply chain attacks using persistent access. There is also a regulatory cost because exfiltration may include personal data subject to privacy regulations.
In the face of such campaigns, the recommendations of the response teams combine immediate and strategic action. As a matter of urgency, it is essential to apply the patches that close React2Shell and, in the light of the minimal suspicion of exposure, to rotate all the credentials concerned. Cisco Talos insists on the need to audit possible data exposures on the server and replace reused SSH keys. For cloud-level defense, it is recommended to force the use of IMDSv2 in AWS EC2 instances to make it difficult to obtain instance metadata from committed processes; the official AWS documentation explains how to configure and force IMDSv2: AWS - Configuring the Instance Metadata Service.
Other preventive measures include the adoption of secret scanning in repositories and pipelines (for example, solutions to secret scanning offering platforms such as GitHub), regular and automated rotation of credentials, strict application of the principle of lesser privilege in the roles and permissions of containers and cloud accounts, and implementation of application protections such as WAF or RASP to reduce the likelihood of operating failures in web applications. GitHub documents its secret detection capabilities in the code and in the history of the repository: GitHub - Secret scanning, and the OWASP secret management guide offers good storage and rotation practices: OWASP - Secrets Management Cheat Sheet.
In the operational plane, it is also appropriate to tighten detection and telemetry: to monitor outgoing HTTP connections to unusual ports (like 8080) from application servers, to review processes and files in / tmp in search of malicious scripts, to audit command histories and container configuration files, and to establish abnormal alerts for the use of keys and tokens. Limiting the output traffic to known destinations and forcing the discharge filtering reduces the ability of an intruder to exfiltrate data to C2 infrastructure.
This campaign puts two simple but critical ideas on the table again: first, that the vulnerabilities in the application layer remain an extremely lucrative gateway for the attackers; and second, that the protection of secrets and credentials must be both preventive and reactive. Apply patches quickly, audit the exposure of sensitive information and have automatic processes to rotate and detect filtered secrets are minimum steps that can now make the difference between a contained incident and a gap with far-reaching consequences.
To read the technical analysis and indicators shared by the researchers, see the Cisco Talos report: Inside a large-scale automated credential-harvesting operation. If you need practical guidance to audit your environment or prioritize mitigation, the AWS and OWASP guides linked above are good starting points.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...