Automated Credential Harvesting Campaign Exploits React2Shell Flaw

A global cybercrime group is going after public-facing Web apps by taking advantage of React2Shell flaws to steal passwords and other private information This article explores react2 shell researchers. . Cisco Talos researchers found that this campaign is part of a threat cluster called UAT-10608, which uses an automated tool called "NEXUS Listener."

They also found that the operation has affected 766 hosts in different parts of the world and on different cloud providers since it started. Attackers go after Next.js web apps that are vulnerable to CVE-2025-55182, a pre-authentication remote code execution (RCE) flaw called React2 Shell. Researchers say that they can then access this data through an easy-to-use graphical user interface (GUI) that gives them detailed statistics and search options, letting them go through it whenever they want.

They say that these options are possible because they can see detailed maps of the victim's infrastructure, such as services, cloud usage, and integrations. The researchers saw that the attack fits with automated scanning, which is probably based on host profile data from services like Shodan, Censys, or custom scanners that look for the React configuration vulnerabilities that were described. They said that even though many of the affected companies haven't yet put this important security measure in place, it is still a very important step in protecting against these kinds of threats.

They also said that security teams should think about adding more security measures and regularly checking their cybersecurity posture to stay one step ahead of new cyber threats.

Researchers said that to protect against bad activities like those carried out by the threat cluster, organizations should rotate their exposed credentials and API keys, follow least-privilege access policies, and stop SSH key reuse. They also said that organizations should patch their next.js deployments right away to lower the risk posed by the credential theft campaign. They also told companies to limit access to cloud metadata services, use secrets scanning, and watch for strange patterns of activity to keep their data safe.

They decided that the campaign looks like it was put together by skilled threat actors who use the automation tools and services they have access to.

They also said that security teams should think about adding more security measures and regularly checking their cybersecurity posture to stay one step ahead of new cyber threats.

They decided that the campaign looks like it was put together by skilled threat actors who use the automation tools and services they have access to.

Automated Credential Harvesting Campaign Exploits React2Shell Flaw

Trending News

Trojanized PyPI AI Proxy Steals Data With Stolen Claude Prompt

Trojanized PyPI AI Proxy Steals Data With Stolen Claude Prompt

Threat Actors Weaponize Browser-Based Zoom and Teams Lures

Threat Actors Weaponize Browser-Based Zoom and Teams Lures

Threat Actors Deploy New BPFDoor Variants With Stealthier C2 Tactics

Threat Actors Deploy New BPFDoor Variants With Stealthier C2 Tactics

Storm-1175 Deploys Medusa Ransomware at 'High Velocity'

Storm-1175 Deploys Medusa Ransomware at 'High Velocity'

Shadow AI in Healthcare Is Here to Stay

Shadow AI in Healthcare Is Here to Stay

RSAC 2026: How AI Is Reshaping Cybersecurity Faster Than Ever

RSAC 2026: How AI Is Reshaping Cybersecurity Faster Than Ever

Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools

Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools

OWASP GenAI Security Project Gets Update, New Tools Matrix

OWASP GenAI Security Project Gets Update, New Tools Matrix

North Korean IT Worker Unmasked After Refusing to Insult Kim Jong Un in Job Interview

North Korean IT Worker Unmasked After Refusing to Insult Kim Jong Un in Job Interview

New GitHub Actions Attack Chain Uses Fake CI Updates to Exfiltrate Secrets and Tokens

New GitHub Actions Attack Chain Uses Fake CI Updates to Exfiltrate Secrets and Tokens

Automated Credential Harvesting Campaign Exploits React2Shell Flaw

Trending News

Trojanized PyPI AI Proxy Steals Data With Stolen Claude Prompt

Trojanized PyPI AI Proxy Steals Data With Stolen Claude Prompt

Threat Actors Weaponize Browser-Based Zoom and Teams Lures

Threat Actors Weaponize Browser-Based Zoom and Teams Lures

Threat Actors Deploy New BPFDoor Variants With Stealthier C2 Tactics

Threat Actors Deploy New BPFDoor Variants With Stealthier C2 Tactics

Storm-1175 Deploys Medusa Ransomware at 'High Velocity'

Storm-1175 Deploys Medusa Ransomware at 'High Velocity'

Shadow AI in Healthcare Is Here to Stay

Shadow AI in Healthcare Is Here to Stay

RSAC 2026: How AI Is Reshaping Cybersecurity Faster Than Ever

RSAC 2026: How AI Is Reshaping Cybersecurity Faster Than Ever

Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools

Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools

OWASP GenAI Security Project Gets Update, New Tools Matrix

OWASP GenAI Security Project Gets Update, New Tools Matrix

North Korean IT Worker Unmasked After Refusing to Insult Kim Jong Un in Job Interview

North Korean IT Worker Unmasked After Refusing to Insult Kim Jong Un in Job Interview

New GitHub Actions Attack Chain Uses Fake CI Updates to Exfiltrate Secrets and Tokens

New GitHub Actions Attack Chain Uses Fake CI Updates to Exfiltrate Secrets and Tokens