Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
React2Shell Exploitation: Large-Scale Attack Exposes Credentials

React2Shell Exploitation: Large-Scale Attack Exposes Credentials

Posted on April 3, 2026 By CWS

A recent alert from Cisco’s Talos security team highlights a significant cybersecurity threat involving the exploitation of vulnerable Next.js applications. Identified as UAT-10608, the malicious actors behind this campaign are using vulnerabilities in these applications to gather credentials on a large scale.

Understanding the React2Shell Vulnerability

The attackers are capitalizing on a critical vulnerability, CVE-2025-55182, which is commonly referred to as React2Shell by the cybersecurity community. This flaw, with a CVSS score of 10, enables remote and unauthenticated attackers to execute arbitrary code. By leveraging automated scanning, the attackers identify systems susceptible to this exploit.

Once access is obtained, the attackers deploy automated scripts and utilize the Nexus Listener framework to collect a variety of sensitive data, including cloud tokens, SSH keys, and environment secrets. Talos reports that at least 766 systems have been compromised, resulting in the collection of over 10,000 files.

Attack Methodology and Impact

The scale of this attack is highlighted by the indiscriminate nature of its targeting, likely facilitated through host profile data from services like Shodan and Censys. These tools help enumerate publicly accessible Next.js deployments, which are then probed for vulnerabilities related to the React configuration.

The adversaries employ an automated script for a multi-phase data collection process. This script iterates through various data points such as running processes, JavaScript runtime, and cloud metadata APIs. The collected data is then sent to a command-and-control server via the Nexus Listener web application.

Consequences and Recommendations

Among the exfiltrated data are keys for AI platforms, AWS, and other critical services, along with GitHub tokens and database secrets. Talos discovered an exposed Nexus Listener instance that provided insight into the scale of the compromise, revealing that 766 hosts were affected within just one day.

Given the sensitive nature of the information collected, all compromised credentials and secrets should be rotated immediately to prevent further breaches. Failure to do so could result in supply chain attacks, unauthorized system access, and significant compliance issues.

Organizations are urged to review their security measures and patch known vulnerabilities promptly to prevent such exploits. Staying informed and proactive is crucial in mitigating risks associated with these large-scale credential harvesting campaigns.

Security Week News Tags:automated scanning, credential harvesting, CVE-2025-55182, Cybersecurity, data exfiltration, Next.js, NEXUS Listener, React2Shell, security researchers, UAT-10608

Post navigation

Previous Post: Hackers Exploit React2Shell Vulnerability in Next.js Servers
Next Post: Kimsuky Uses LNK Files to Deploy Python Backdoor

Related Posts

Hackers Target Casino Operator Boyd Gaming Hackers Target Casino Operator Boyd Gaming Security Week News
DoorDash Says Personal Information Stolen in Data Breach DoorDash Says Personal Information Stolen in Data Breach Security Week News
US-Linked Malware ‘Fast16’ Uncovered in Early Cyber Tensions US-Linked Malware ‘Fast16’ Uncovered in Early Cyber Tensions Security Week News
Romanian Extradited to US Over Decade-Old Cybercrime Romanian Extradited to US Over Decade-Old Cybercrime Security Week News
Urgent Advisory: Exchange Server Zero-Day Exploited Urgent Advisory: Exchange Server Zero-Day Exploited Security Week News
Claude Mythos: A Revolutionary AI Model with Cybersecurity Implications Claude Mythos: A Revolutionary AI Model with Cybersecurity Implications Security Week News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Major Cybersecurity Incidents: Canadian Hacker, ATM Fraud
  • Top Post-Quantum Cryptographic Solutions for 2026
  • Armored Likho’s BusySnake Threatens Government and Energy Sectors
  • Scammers Exploit Brand Trust to Lure Casino Traffic
  • FBI Alerts on TeamPCP’s Widespread Developer Tool Attacks

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Major Cybersecurity Incidents: Canadian Hacker, ATM Fraud
  • Top Post-Quantum Cryptographic Solutions for 2026
  • Armored Likho’s BusySnake Threatens Government and Energy Sectors
  • Scammers Exploit Brand Trust to Lure Casino Traffic
  • FBI Alerts on TeamPCP’s Widespread Developer Tool Attacks

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark