AN emerging global credential theft campaign is exploiting publicly accessible Web applications vulnerable to React2Shell and then deploying an automated collection tool to steal credentials and other data, Cisco Talos researchers say. The campaign, tracked as UAT-10608, targets Next[.]js Web applications and uses an automated framework dubbed “NEXUS Listener” to exfiltrate credentials, SSH keys, cloud tokens, and environment secrets at scale.
According to Cisco Talos, the attack has compromised at least 766 hosts across multiple geographic regions and cloud providers at the time of reporting. Attackers initiate access by exploiting a pre-authentication remote code execution flaw, CVE-2025-55182, in Next[.]js deployments, then rely on NEXUS Listener to harvest data and present it in a GUI for analysis.
Researchers describe the operation as partially automated, with automated scanning and a broad, indiscriminate victim set consistent with rapid credential theft and potential follow-on abuse. Defences recommended include patching CVE-2025-55182, rotating credentials, enforcing least-privilege access, and monitoring for artefacts such as unusual outbound connections and server-side secrets in rendered HTML.
The piece, published on 6 April 2026 by Elizabeth Montalbano, notes the campaign’s potential for further misuse, including selling access to compromised environments.