Automated credential theft campaign leveraging React2Shell vulnerability (CVE-2025-55182) in Next.js applications
Summary
Hide ▲
Show ▼
A large-scale automated credential theft campaign has compromised at least 766 hosts across multiple cloud providers and geographies by exploiting the React2Shell vulnerability (CVE-2025-55182) in vulnerable Next.js applications. The attack leverages a framework called NEXUS Listener and automated scripts to extract and exfiltrate sensitive data, including database credentials, AWS and cloud tokens, SSH private keys, API keys, environment secrets, Kubernetes tokens, Docker information, command history, and process data. The exfiltration occurs in chunks via HTTP requests over port 8080 to a command-and-control server running the NEXUS Listener component.
Timeline
-
05.04.2026 17:17 1 articles · 3h ago
Large-scale credential theft campaign exploiting React2Shell vulnerability in Next.js identified
A threat cluster tracked as UAT-10608 is conducting an automated credential theft campaign targeting Next.js applications vulnerable to React2Shell (CVE-2025-55182). The operation compromises hosts to harvest and exfiltrate database credentials, cloud tokens (AWS/GCP/Azure), SSH private keys, API keys, Kubernetes tokens, Docker information, command history, and process data. Exfiltration occurs via HTTP requests to a C2 server running the NEXUS Listener framework, which provides attackers with a statistics dashboard of compromised hosts and extracted credentials.
Show sources
- Hackers exploit React2Shell in automated credential theft campaign — www.bleepingcomputer.com — 05.04.2026 17:17
Information Snippets
-
The campaign targets Next.js applications vulnerable to React2Shell (CVE-2025-55182), a server-side template injection vulnerability.
First reported: 05.04.2026 17:171 source, 1 articleShow sources
- Hackers exploit React2Shell in automated credential theft campaign — www.bleepingcomputer.com — 05.04.2026 17:17
-
At least 766 hosts across various cloud providers and geographies have been compromised in a 24-hour period by the automated framework.
First reported: 05.04.2026 17:171 source, 1 articleShow sources
- Hackers exploit React2Shell in automated credential theft campaign — www.bleepingcomputer.com — 05.04.2026 17:17
-
The NEXUS Listener framework provides attackers with a web interface for data visualization, including statistics on compromised hosts, credential types extracted, and application uptime.
First reported: 05.04.2026 17:171 source, 1 articleShow sources
- Hackers exploit React2Shell in automated credential theft campaign — www.bleepingcomputer.com — 05.04.2026 17:17
-
The threat cluster responsible is tracked as UAT-10608, according to Cisco Talos analysis of an exposed NEXUS Listener instance.
First reported: 05.04.2026 17:171 source, 1 articleShow sources
- Hackers exploit React2Shell in automated credential theft campaign — www.bleepingcomputer.com — 05.04.2026 17:17
-
Exfiltrated data types include environment variables and secrets (API keys, database credentials, GitHub/GitLab tokens), SSH keys, cloud credentials (AWS/GCP/Azure metadata, IAM credentials), Kubernetes tokens, Docker/container information, command history, and process/runtime data.
First reported: 05.04.2026 17:171 source, 1 articleShow sources
- Hackers exploit React2Shell in automated credential theft campaign — www.bleepingcomputer.com — 05.04.2026 17:17
-
The campaign enables cloud account takeover, database and payment system access, lateral movement via SSH keys, and potential supply chain attacks.
First reported: 05.04.2026 17:171 source, 1 articleShow sources
- Hackers exploit React2Shell in automated credential theft campaign — www.bleepingcomputer.com — 05.04.2026 17:17