Automated Credential Harvesting Campaign Targets React2Shell Vulnerability
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A large-scale automated credential harvesting campaign, tracked as UAT-10608, has compromised at least 766 hosts globally within 24 hours. The attackers exploit the React2Shell vulnerability (CVE-2025-55182), a pre-authentication remote code execution flaw affecting .js applications. This operation utilizes a framework called 'NEXUS Listener' to systematically harvest sensitive data, including usernames, passwords, SSH keys, and cloud tokens. Researchers from Cisco Talos discovered that an exposed web application allowed them to view the harvested data, which included credentials from major services like AWS, Microsoft Azure, and GitHub. The campaign's indiscriminate targeting pattern suggests automated scanning based on host profile data from services like Shodan. Organizations are urged to address this vulnerability promptly to prevent further credential theft. Talos is collaborating with affected service providers to notify victims and mitigate the impact.
Key Points: • UAT-10608 has compromised over 766 hosts in just 24 hours. • The attack exploits the React2Shell vulnerability (CVE-2025-55182). • Sensitive data from major platforms, including AWS and GitHub, is at risk.