Security alert: massive campaign steals credentials by exploiting React2Shell and CVE-2025-55182 in Next.js

A massive credentials theft operation has been detected using the vulnerability known as React2Shell as an initial input door to compromise Next.js applications and extract secrets on a large scale. Cisco Talos has attributed the campaign to a cluster of threats identified as UAT-10608 which, according to researchers, has been able to infiltrate hundreds of servers distributed between various regions and cloud suppliers.

The modus operandi described by analysts consists of detecting public deployments of Next.js vulnerable to CVE-2025-55182 - a critical failure in the React Server Components and the Next.js Router app that allows remote code execution - and using that execution to plant a "dropper." That dropper starts a deep framing of the compromised system and unfolds the collection frame known as NEXUS Listar, a web application with a graphic interface that centralizes and facilitates the consultation of everything stolen.

From this platform, operators can review aggregate statistics on affected hosts and types of credentials obtained, as well as search and filter sensitive devices. Among the secrets and exfiltered information that Talos was able to observe in NEXUS instances are connection chains to databases, private SSH keys and entries in autoized _ keys, shell command histories, Kubernetes service tokens, Docker container configurations, temporary credentials associated with IAM roles obtained through the instance metadata service in AWS, Google Cloud and Azure, and APIs service keys such as Stripe, IA platforms, communication services and code repositories.

The extent of the commitment - with at least 766 hosts affected according to the report - and the indiscriminate nature of the scan suggest that the attackers automated the search for victims using engines and tools that locate exposed services on the Internet, such as Shodan or Censys Or scanners of their own. This "wheel" approach on public Next.js instances, tests vulnerability and, when it achieves execution, leaves the set of scripts in charge of collecting secrets.

Beyond the immediate impact of each individual credential, researchers stress that the mass collection constitutes a very valuable map of the infrastructure of the victims: reveals which services are run, which cloud suppliers are used, how third-party integrations are configured and which communication or billing providers are in use. This intelligence facilitates subsequent targeted attacks, from side movements in the network to social engineering campaigns or the sale of access in illegal forums.

For those who manage Next.js applications and cloud environments, practical recommendations are clear and urgent. First, patching or mitigating any vulnerable body is a priority; Next.js' official documentation and project security notes should be reviewed as soon as remedies are available ( Next.js Docs). In cloud infrastructure, the adoption and reinforcement of IMDSv2 in EC2 instances reduces the risk of exfiltration of credentials through the metadata service; Amazon describes how to enable and force IMDSv2 in its official guides ( IMDSv2 documentation - AWS).

In addition, it is appropriate to implement detection and sweep of secrets in the development cycle, rotate keys and credentials if there is the least suspicion of commitment, and apply the principle of minor privilege in all accounts and roles to limit the scope of the filtered keys. Tools and services such as automatic detection of secrets in repositories (e.g., the functionality of Secret Scanning of GitHub) and secret managers help to mitigate exposure and automate the safe rotation of credentials.

It is also advisable to avoid the reuse of SSH key pairs between machines and equipment, to regularly audit which keys and tokens are in place, and to minimize the number of credentials with extensive permits. For organizations that use managed secret management services, such as AWS Secrets Manager or commercial alternatives allow to control the life cycle of secrets and simplify rotation.

In the area of detection and response, it is important to monitor abnormal behaviors such as unusual processes that perform sensitive file readings, outgoing connections to unrecognized servers and activity in endpoints of administration that coincides with the deployment of webapps as identified by researchers. Security teams should consider proactive searches in their environments to identify publicly accessible Next.js instances and to check whether they have been patched or whether they present compromise signals.

The case of UAT-10608 and NEXUS Listener is a strong reminder that the exploitation of vulnerabilities in modern frameworks can result in loss of high-value secrets and an opportunity window for subsequent attacks. Maintaining up-to-date environments, reducing the exposure surface and protecting secrets with appropriate policies and tools are measures that make the difference between an isolated intrusion and a leak that compromises the entire chain of operations of an organization.

For further research and technical details, please consult the coverage of intelligence groups and specialized media such as Cisco Talos and the technological and cybersecurity press as The Hacker News. For general principles of web security, reference resources such as OWASP.