Automated Credential Harvesting Campaign Targets React2Shell Vulnerability

Severity: High (Score: 72.8)

Sources: Scworld, Bleepingcomputer, Blog.Talosintelligence, Csoonline, Socprime

Summary

A large-scale automated credential harvesting campaign, tracked as UAT-10608, has compromised at least 766 hosts globally within 24 hours. The attackers exploit the React2Shell vulnerability (CVE-2025-55182), a pre-authentication remote code execution flaw affecting .js applications. This operation utilizes a framework called 'NEXUS Listener' to systematically harvest sensitive data, including usernames, passwords, SSH keys, and cloud tokens. Researchers from Cisco Talos discovered that an exposed web application allowed them to view the harvested data, which included credentials from major services like AWS, Microsoft Azure, and GitHub. The campaign's indiscriminate targeting pattern suggests automated scanning based on host profile data from services like Shodan. Organizations are urged to address this vulnerability promptly to prevent further credential theft. Talos is collaborating with affected service providers to notify victims and mitigate the impact. Key Points: • UAT-10608 has compromised over 766 hosts in just 24 hours. • The attack exploits the React2Shell vulnerability (CVE-2025-55182). • Sensitive data from major platforms, including AWS and GitHub, is at risk.

Key Entities

• Data Breach (attack_type)
• Uat-10608 (campaign)
• CVE-2025-55182 (cve)
• kubernetes.io (domain)
• T1003.004 - LSA Secrets (mitre_attack)
• T1003 - OS Credential Dumping (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• AWS (company)
• Docker (tool)
• Nexus Listener (tool)
• Kubernetes (platform)
• Next.js (platform)
• React2Shell (malware)