Hackers Exploit React2Shell in Automated Credential Theft Campaign

766 Hosts Compromised in 24 Hours - React2Shell is on Fire

A threat cluster tracked as UAT-10608 has been running a large-scale automated campaign targeting Next.js applications through a critical vulnerability in React2Shell (CVE-2025-55182). According to Cisco Talos, the operation compromised 766 hosts within a single 24-hour window - pulling database credentials, AWS/GCP/Azure tokens, SSH private keys, Kubernetes tokens, and .env secrets at machine speed.

This is not a targeted attack. It is a fully automated sweep across cloud providers and geographies, designed to vacuum up anything sensitive left exposed in a compromised runtime environment.

How the Attack Works

The attack chain is straightforward and brutal:

• Automated scanners identify vulnerable Next.js apps exposed to CVE-2025-55182
• A multi-phase harvesting script is dropped into the system temp directory
• The script extracts environment variables, cloud metadata, IAM credentials, Docker info, command history, and process data
• Stolen data is chunked and exfiltrated via HTTP over port 8080 to a C2 server running a framework called NEXUS Listener
• Attackers get a clean dashboard with search, filtering, and stats on every compromised host

The NEXUS Listener panel even tracks uptime and total credential counts per type - this is industrialized exploitation, not a one-off hack.

What Gets Stolen

The breadth of exfiltrated data is the real threat here:

• .env files containing API keys, DB passwords, and GitHub/GitLab tokens
• AWS, GCP, and Azure metadata and IAM credentials
• Kubernetes service account tokens
• SSH private keys (enabling lateral movement)
• Docker and container runtime information
• Shell command history

With this data, attackers can take over cloud accounts, pivot into databases and payment systems, and potentially poison supply chains upstream.

What Developers Should Do Right Now

If you are running Next.js with React2Shell, treat this as a five-alarm incident:

• Patch immediately - apply the security update addressing CVE-2025-55182
• Rotate all credentials - every API key, DB password, and cloud token in your environment
• Audit server-side data exposure - check what your app can access at runtime
• Enable AWS IMDSv2 - block metadata endpoint abuse
• Replace reused SSH keys - one compromised key should not open every door
• Enable secret scanning in your CI/CD pipeline (git-secrets, GitHub secret scanning, etc.)
• Deploy WAF or RASP protections tuned for Next.js attack patterns
• Enforce least-privilege across all containers and cloud IAM roles

The .env file sitting in your repo or leaking through a misconfigured runtime is not a minor issue anymore. UAT-10608 proved it can be harvested at scale, in bulk, in under 24 hours.

Is your app vulnerable to similar attacks? Run an automated scan in 3 minutes with VibeWShield.