ACCORDING to Cisco Talos, a large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability (CVE-2025-55182) as an initial infection vector to steal a range of credentials, including database credentials, SSH private keys, AWS secrets, Stripe API keys, and GitHub tokens, at scale. At least 766 Next[.]js hosts across multiple regions and cloud providers have been compromised as part of the activity.
Talos described the operation as automated, with post-compromise scripts that extract and exfiltrate credentials to a command-and-control host run by a web GUI named “NEXUS Listener,” which offers statistics on compromised hosts and harvested credentials. The campaign is targeting Next[.]js applications vulnerable to CVE-2025-55182, described as a critical flaw in React Server Components and Next[.]js App Router that could enable remote code execution for initial access.
The researchers, Asheer Malhotra and Brandon White, said the breadth of data collected includes environment variables, API keys, IAM credentials, and cloud service tokens, underscoring how compromised hosts could be used for follow-on attacks or re-sold access.