A large-scale automated campaign is currently exploiting a critical flaw in Next.js applications to map and harvest credentials from cloud-native environments. This operation provides the adversary with a comprehensive inventory of victim infrastructure, including internal API keys and production database access.
Tracked as CVE-2025-55182, the React2Shell vulnerability allows unauthenticated attackers to execute code and extract environment variables, shell history, and Docker configurations. The threat actor, identified as UAT-10608, exfiltrates this data to a centralized command-and-control interface called NEXUS Listener. This GUI-based tool allows operators to analyze stolen AWS secrets, SSH keys, and Kubernetes tokens in real-time, facilitating immediate lateral movement.
Modern web frameworks often run with excessive local permissions, turning a single application-layer flaw into a full infrastructure compromise. The rapid aggregation of stolen secrets into a searchable database suggests that UAT-10608 is operating as an Initial Access Broker, preparing high-value targets for resale to ransomware affiliates.
– Audit all Next.js deployments and update to the latest patched security release immediately.
– Enforce AWS IMDSv2 on all EC2 instances to prevent the theft of temporary security credentials from metadata services.
– Implement secret scanning across all repositories and CI/CD pipelines to identify and rotate exposed keys.
– Strictly adhere to the principle of least privilege for application service accounts to limit the blast radius of RCE.
The centralization of stolen cloud secrets into an analytics platform represents a professionalization of the initial access market. #CodeDefence #NextJS #CloudSecurity #React2Shell
/