Ethical Hacking News
Hackers are currently exploiting the React2Shell vulnerability in Next.js applications to launch a large-scale credential theft campaign. The attack has already resulted in the compromise of at least 766 hosts across various cloud providers and geographies, with stolen credentials including environment variables, SSH keys, and cloud credentials. System administrators are advised to apply security updates, rotate credentials, and deploy WAF/RASP protections for Next.js to mitigate the impact of this attack.
At least 766 hosts have been compromised across various cloud providers and geographies using the exploited React2Shell vulnerability. The attackers use an automated script framework called NEXUS Listener to scan for vulnerable Next.js apps and extract sensitive data. The stolen credentials include environment variables, secrets, SSH keys, cloud credentials, Kubernetes tokens, and personally identifiable details. The attackers can exfiltrate the data in chunks via HTTP requests over port 8080 to a command-and-control server for further analysis. Cisco Talos recommends applying security updates, rotating all credentials, and enforcing AWS IMDSv2 and least-privilege access to limit the impact of the attack.
Hackers are currently running a large-scale campaign to steal credentials using the exploited React2Shell vulnerability in Next.js applications. The attack, which has been attributed to threat cluster UAT-10608 by Cisco Talos, has already resulted in the compromise of at least 766 hosts across various cloud providers and geographies.
The operation, which leverages an automated script framework called NEXUS Listener, begins with automated scanning for vulnerable Next.js apps. Once a vulnerability is found, the script executes a multi-phase credential-harvesting routine, extracting sensitive data from various applications. The stolen credentials include environment variables and secrets, SSH keys, cloud credentials, Kubernetes tokens, Docker/container information, command history, process and runtime data, as well as personally identifiable details.
The attackers are able to exfiltrate the sensitive data in chunks via HTTP requests over port 8080 to a command-and-control server running the NEXUS Listener component. The attacker is then provided with a detailed view of the data, including search, filtering, and statistical insights. This allows them to perform cloud account takeover and access databases, payment systems, and other services, as well as opening the door to supply chain attacks.
The compromised data also exposes victims to regulatory consequences from privacy law violations. Cisco Talos recommends that system administrators apply the security updates for React2Shell, audit server-side data exposure, and rotate all credentials immediately if there is suspicion of a compromise. They should also enforce AWS IMDSv2 and replace any reused SSH keys, enable secret scanning, deploy WAF/RASP protections for Next.js, and enforce least-privilege across containers and cloud roles to limit the impact of the attack.
The attackers are able to use the stolen secrets in various ways, including logging into compromised systems, using SSH keys for lateral movement, and performing cloud account takeover. The operation is automated, with a script that executes the multi-phase credential-harvesting routine placed in the standard temporary directory.
In total, the attackers were able to harvest over 766 hosts in just a 24-hour period, highlighting the scale of the threat. The NEXUS Listener framework allows for detailed insights into the data extracted from compromised systems, including statistics and search functionality.
The attack serves as a reminder of the importance of keeping software up-to-date and applying security patches promptly. System administrators should take immediate action to address this vulnerability and ensure that their applications are secure against exploitation by attackers.
Cisco Talos has provided recommendations for system administrators looking to mitigate the impact of this attack, including applying security updates, rotating credentials, and deploying WAF/RASP protections for Next.js. By following these steps, organizations can reduce their risk of being targeted by similar attacks in the future.
The compromised data also highlights the importance of protecting sensitive information and enforcing strict access controls. The use of least-privilege across containers and cloud roles is essential to limit the impact of the attack and prevent further unauthorized access.
Overall, this campaign serves as a warning to organizations of the dangers of unpatched software and the importance of maintaining robust security measures. By staying vigilant and taking proactive steps to address vulnerabilities, organizations can protect themselves against similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Exploit-React2Shell-Vulnerability-to-Launch-Large-Scale-Credential-Theft-Campaign-ehn.shtml
https://www.bleepingcomputer.com/news/security/hackers-exploit-react2shell-in-automated-credential-theft-campaign/
https://thehackernews.com/2026/04/hackers-exploit-cve-2025-55182-to.html
https://www.csoonline.com/article/4154188/security-lapse-lets-researchers-see-react2shell-hackers-dashboard.html
Published: Sun Apr 5 09:39:56 2026 by llama3.2 3B Q4_K_M
