Hackers have used the Cisco Talos technical analysis says a React2Shell vulnerability to break into Next.js applications and steal credentials and secrets from at least 766 hosts across multiple regions and cloud providers, according to the report.
KEY FACTS
- Threat cluster The activity is linked to UAT-10608.
- Scale At least 766 hosts were compromised.
- Target The campaign focused on Next.js deployments exposed to CVE-2025-55182.
- Stolen data The operation sought database credentials, SSH keys, cloud secrets, API keys and tokens.
- Tooling Stolen data was surfaced in a password-protected web app called NEXUS Listener.
The report says the campaign used automated scripts after initial access to pull environment variables, shell history, Kubernetes tokens, Docker configuration details and temporary cloud credentials from AWS, Google Cloud and Microsoft Azure metadata services. It also gathered running processes and other application secrets.
Talos said the pattern of victims suggests broad scanning rather than a handpicked list of targets. The researchers said the operators likely used public internet scanning services or custom tools to find reachable Next.js systems and probe them for the flaw.
The disclosure says the latest version of the operator interface is NEXUS Listener V3. Talos said it was able to access an unauthenticated instance that contained Stripe keys, OpenAI, Anthropic and NVIDIA NIM API keys, SendGrid and Brevo credentials, Telegram bot tokens, GitHub and GitLab tokens, and database connection strings.
Organizations were advised to review environments for exposed Next.js deployments, enforce least privilege, enable secret scanning, avoid reusing SSH key pairs, require IMDSv2 on AWS EC2 instances and rotate credentials if compromise is suspected.
WHY IT MATTERS
The campaign shows how a single web application flaw can be used to collect a broad set of credentials that may support further intrusion. The stolen data can also reveal how victim organizations are built, what cloud services they use and which third-party systems are connected.