Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials

Ravie LakshmananApr 02, 2026Vulnerability / Threat Intelligence

A large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at scale.

Cisco Talos has attributed the operation to a threat cluster it tracks as UAT-10608. At least 766 hosts spanning multiple geographic regions and cloud providers have been compromised as part of the activity.

“Post-compromise, UAT-10608 leverages automated scripts for extracting and exfiltrating credentials from a variety of applications, that are then posted to its command-and-control (C2),” security researchers Asheer Malhotra and Brandon White said in a report shared with The Hacker News ahead of publication.

“The C2 hosts a web-based graphical user interface (GUI) titled ‘NEXUS Listener’ that can be used to view stolen information and gain analytical insights using precompiled statistics on credentials harvested and hosts compromised.”

The campaign is assessed to be targeting Next.js applications that are vulnerable to CVE-2025-55182 (CVSS score: 10.0), a critical flaw in React Server Components and Next.js App Router that could result in remote code execution, for initial access, and then dropping the NEXUS Listener collection framework.

This is accomplished by means of a dropper that proceeds to deploy a multi-phase harvesting script that collects various details from the compromised system –

Environment variables
JSON-parsed environment from JS runtime
SSH private keys and authorized_keys
Shell command history
Kubernetes service account tokens
Docker container configurations (running containers, their images, exposed ports, network configurations, mount points, and environment variables)
API keys
IAM role-associated temporary credentials by querying the Instance Metadata…

Source