Large-Scale Credential Theft Attack Utilizes React2Shell Vulnerability
A Large-Scale Credential Harvesting Campaign Uncovered
Cisco’s Talos security researchers have identified a significant threat actor behind a credential harvesting campaign targeting vulnerable Next.js applications.
The Campaign Exploits React2Shell Vulnerability
The campaign exploits the React2Shell vulnerability (CVE-2025-55182), a critical flaw with a CVSS score of 10, allowing remote, unauthenticated attackers to execute arbitrary code.
Automated Scanning and Credential Harvesting
- The attackers use automated scanning to identify applications impacted by the vulnerability.
- Following initial access, the attackers employ automated scripts and the Nexus Listener framework to harvest credentials, cloud tokens, SSH keys, and environment secrets at scale.
- At least 766 systems have been compromised, and over 10,000 files have been collected as part of the campaign.
According to Talos, the attackers target public-facing web applications vulnerable to React2Shell, delivering a crafted payload via an HTTP request and executing arbitrary code on the server-side Node.js process.
Data Collection and Exfiltration
- The attackers use an automated script for multi-phased data collection, iterating through running processes, JavaScript runtime, SSH, shell command history, tokens, cloud metadata APIs, Kubernetes service accounts, container configurations, and running process command lines.
- The exfiltrated data is sent to the attackers’ command-and-control (C&C) server, where it is made available through the Nexus Listener web application.
Talos notes that the breadth of the victim set and the indiscriminate targeting pattern is consistent with automated scanning, likely based on host profile data from services such as Shodan, Censys, or custom scanners.
Exposed Credentials and Keys
- One instance of the Nexus Listener was left exposed, allowing Talos to peek into its inner workings and exfiltrated data.
- The exposed instance revealed the successful compromise of 766 hosts within 24 hours.
- The stolen information includes keys for AI platforms, payment processors, AWS, and communication platforms, as well as GitHub tokens, database connection secrets, Auth tokens, passwords, and more.
All the exposed credentials, keys, tokens, and secrets in the dataset should be considered compromised and rotated, as they could lead to further compromise, including supply chain attacks, lateral movement, and compliance issues.
About Author
English