Automated Credential Harvesting Campaign Targets React2Shell Vulnerability

Automated Credential Harvesting Campaign Targets React2Shell Vulnerability

First seen 3 Apr 2026, 07:15 UTC Blog.TalosintelligenceGbhackersCybersecuritynewsCsoonlineScworld+5 86% similarity 72.8

Article Content

Browse articles
ThreatCluster

A large-scale automated credential harvesting campaign, tracked as UAT-10608, has compromised at least 766 hosts globally within 24 hours. The attackers exploit the React2Shell vulnerability (CVE-2025-55182), a pre-authentication remote code execution flaw affecting .js applications. This operation utilizes a framework called 'NEXUS Listener' to systematically harvest sensitive data, including usernames, passwords, SSH keys, and cloud tokens. Researchers from Cisco Talos discovered that an exposed web application allowed them to view the harvested data, which included credentials from major services like AWS, Microsoft Azure, and GitHub. The campaign's indiscriminate targeting pattern suggests automated scanning based on host profile data from services like Shodan. Organizations are urged to address this vulnerability promptly to prevent further credential theft. Talos is collaborating with affected service providers to notify victims and mitigate the impact.

Key Points: • UAT-10608 has compromised over 766 hosts in just 24 hours. • The attack exploits the React2Shell vulnerability (CVE-2025-55182). • Sensitive data from major platforms, including AWS and GitHub, is at risk.

ThreatCluster AI

Timeline

2025-12-03
CVE-2025-55182 published
2025-12-05
CVE-2025-55182 added to CISA KEV
2025-12-15
First public PoC for CVE-2025-55182
2026-04-02
Talos discloses UAT-10608 credential harvesting campaign
2026-04-03
Researchers view exposed dashboard of UAT-10608

Community

Browse all →