ACCORDING to Talos, a threat actor tracked as UAT-10608 exploited vulnerable Next[.]js applications to compromise systems and exfiltrate credentials at scale, leveraging automated scanning to target Next[.]js deployments affected by CVE-2025-55182 (CVSS 10) a critical React vulnerability known as React2Shell. Following initial access, the operation used automated scripts and the Nexus Listener framework to harvest credentials, cloud tokens, SSH keys and environment secrets from exposed systems.
Talos notes that at least 766 systems have been compromised and more than 10,000 files collected as part of the campaign, with the Nexus Listener instance left exposed revealing the breadth of the breach. The exfiltrated data includes keys for AI platforms, payment processors, AWS and other services, along with GitHub tokens, database secrets, Auth tokens and passwords. In total, the attackers broadcasted credentials, keys and secrets from 766 hosts within 24 hours. The exposed data should be considered compromised and rotated to mitigate further risk, including potential supply chain movement and lateral access.