Hackers exploit React2Shell in automatic credential theft advertising and marketing and marketing campaign
Cybersecurity expert
Hackers are running a sexy-scale advertising and marketing and marketing campaign to take credentials in an automatic come after exploiting React2Shell (CVE-2025-55182) in inclined Subsequent.js apps.
No longer no longer as a lot as 766 hosts all over a few cloud suppliers and geographies were compromised to accumulate database and AWS credentials, SSH non-public keys, API keys, cloud tokens, and atmosphere secrets.
The operation uses a framework named NEXUS Listener and leverages automatic scripts to extract and exfiltrate sensitive recordsdata from a few applications.
Cisco Talos attributes the exercise to a possibility cluster tracked as UAT-10608. The researchers gained access to an exposed NEXUS Listener occasion, allowing them to analyze the vogue of recordsdata harvested from compromised systems and realize how the web application operates.
The first panel of Nexus Listener Supply: Cisco Talos
Automatic secret harvesting
The attack begins with automatic scanning for inclined Subsequent.js apps, that are breached by approach of the React2Shell vulnerability. A script that executes a multi-fragment credential-harvesting routine is positioned within the usual non eternal directory.
Per Cisco Talos researchers, the knowledge stolen this come contains:
Atmosphere variables and secrets (API keys, database credentials, GitHub/GitLab tokens)
SSH keys
Cloud credentials (AWS/GCP/Azure metadata, IAM credentials)
Kubernetes tokens
Docker/container recordsdata
Speak historical past
Course of and runtime recordsdata
Sensitive recordsdata is exfiltrated in chunks, every despatched by approach of an HTTP put a matter to over port 8080 to a expose-and-accept an eye fixed on (C2) server running the NEXUS Listener component. The attacker is then supplied with a detailed ogle of the knowledge, in conjunction with search, filtering, and statistical insights.
“The applying comprises a list of several statistics, in conjunction with the sequence of hosts compromised and the entire sequence of each and each credential sort that were successfully extracted from those hosts,” Cisco Talos says in a describe this week.
“It also lists the uptime of the application itself. In this case, the automatic exploitation and harvesting framework used to be ready to successfully compromise 766 hosts within a 24-hour duration.”
Volume of secrets serene within the advertising and marketing and marketing campaign Supply: Cisco Talos
Defense ideas
The stolen secrets enable attackers to compose cloud tale takeover and access databases, fee systems, and a few companies, also opening the door to fabricate chain assaults. SSH keys could presumably be faded for lateral drag.
Cisco highlights that the compromised recordsdata, in conjunction with personally identifiable facts, also exposes victims to regulatory penalties from privacy legislation violations.
The researchers counsel that intention administrators discover the protection updates for React2Shell, audit server-side recordsdata exposure, and rotate all credentials straight away if there could be suspicion of a compromise.
Also, it is advised to put into effect AWS IMDSv2 and replace any reused SSH keys. They’ll dangle to silent also enable secret scanning, deploy WAF/RASP protections for Subsequent.js, and put into effect least-privilege all over containers and cloud roles to restrict impact.
Automatic pentesting proves the crawl exists. BAS proves whether or no longer your controls cease it. Most teams scoot one with out the a few.
This whitepaper maps six validation surfaces, presentations the place coverage ends, and provides practitioners with three diagnostic questions for any instrument evaluate.
