A significant wave of cyberattacks is rapidly targeting web applications globally, with threat actors exploiting a critical security vulnerability known as React2Shell. This flaw, present in the popular Next.js framework which utilizes React Server Components, has allowed hackers to gain unauthorized access to sensitive data, including credentials and cloud keys, on a widespread scale.
In an alarming 24-hour period, researchers observed at least 766 servers compromised by these attacks. The stolen information included a broad spectrum of sensitive data, such as passwords, cloud provider API keys, database connection strings, and private keys for remote access. This breach highlights a serious risk for organizations relying on Next.js for their web development.
Hackers Exploit Next.js React2Shell Flaw to Steal Credentials
The vulnerability at the heart of this campaign is identified as CVE-2025-55182, commonly referred to as React2Shell. This critical flaw is rooted in the React Server Components (RSC) Flight protocol, specifically concerning how a React server handles incoming HTTP requests directed at Server Function endpoints. With a maximum severity score of 10.0 on the CVSS scale, the vulnerability allows attackers to execute arbitrary code on the server without requiring any form of authentication.
The widespread adoption of Next.js means that this flaw, also tracked under CVE-2025-66478 due to its downstream impact, affects a vast number of web applications. Cisco Talos researchers have identified this automated attack operation and are tracking the associated threat cluster as UAT-10608. The attackers are employing a systematic and indiscriminate approach, utilizing scanning services like Shodan and Censys to locate publicly accessible Next.js deployments that are running vulnerable versions of React Server Components.
Once a vulnerable target is identified, the attack process is fully automated, requiring no further manual intervention from the threat actors after the initial exploit is deployed. The scale of the breach is considerable, with confirmed compromises affecting at least 766 hosts across various cloud platforms, including AWS, Google Cloud, and Microsoft Azure. The types of data exfiltrated are extensive, encompassing database connection strings, SSH private keys, cloud access tokens, GitHub tokens, Stripe live secret keys, Kubernetes service account credentials, and environment variables.
In total, over 10,120 files were reportedly collected from the compromised systems. The implications of this attack extend far beyond immediate credential theft. Several of the breached hosts exposed authentication files for package registries, such as npm and pip configuration files containing registry credentials. This poses a significant supply chain risk, as attackers could potentially use these credentials to inject malicious code into trusted software packages, subsequently impacting any organization that utilizes those compromised packages.
The NEXUS Listener: How Stolen Data Is Controlled at Scale
To manage the exfiltrated data from the extensive network of compromised servers, the UAT-10608 threat cluster has deployed a custom command-and-control (C2) framework named NEXUS Listener. This web-based platform, currently in its third iteration, provides its operators with a graphical dashboard. Through this interface, they can review lists of compromised hosts, categorize stolen credentials for easier management, analyze harvesting statistics, and monitor the success rate of credential extraction during different stages of the attack.
The attack sequence begins with the identification of a vulnerable endpoint. A single, carefully crafted HTTP request is then sent to the RSC Server Function endpoint. Upon receiving this malicious payload, the server deserializes it, leading to the execution of arbitrary code. This code subsequently deploys a lightweight shell script into a temporary directory, often using a randomized filename to evade detection.
This initial dropper then retrieves a multi-phase credential harvesting script from the attacker’s infrastructure. Each phase is designed to collect specific types of data, ranging from SSH keys and cloud tokens to database passwords. The collected information is then reported back to the NEXUS Listener C2 server, typically on port 8080, along with identifying details of the victim, such as the hostname and the specific phase of data collection. This fully automated process facilitates the rapid and widespread compromise of hundreds of systems.
Organizations that are running applications developed with Next.js, particularly those utilizing the App Router or any implementation of React Server Components, are strongly advised to update their systems to the latest available version without delay. It is also imperative to immediately rotate all sensitive credentials that may have been exposed in affected environments. This includes AWS keys, database passwords, SSH keys, API tokens, and GitHub tokens.
Security teams should review cloud instance roles for overly permissive access policies and enforce the use of IMDSv2 on cloud instances to enhance security. Additionally, efforts should be made to avoid reusing SSH key pairs across different systems. Monitoring outbound HTTP traffic originating from application containers, with a specific focus on detecting unexpected connections to unknown IP addresses on port 8080, is a practical and crucial step for early detection of an active breach.