{"id":481,"date":"2026-04-02T20:45:03","date_gmt":"2026-04-02T20:45:03","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=481"},"modified":"2026-04-02T20:45:03","modified_gmt":"2026-04-02T20:45:03","slug":"hackers-exploit-cve-2025-55182-to-breach-766-next-js-hosts-steal-credentials","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=481","title":{"rendered":"Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Apr 02, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Threat Intelligence<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj8T48UROZtSjRXtkxVcNT2VmXbB1texWQPAqLbm06uwmJ8VsYFb_HeXOnZx9uz9QL-LB3aWdwcLm9TbuRler7w7jjXJlL_tQweQualaW4XEVav7Ysulqx_CJyc9a0P1dO1a69W_eQhroxV1LA_p5VB9T38Xubc3zXHgwd-4sAAc2whuv4ElnC5WtFSn7SH\/s1700-e365\/nextjs.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>A\u00a0large-scale credential harvesting operation\u00a0has been\u00a0observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at\u00a0scale.<\/p>\n<p>Cisco\u00a0Talos has attributed the operation to a threat cluster it tracks\u00a0as <strong>UAT-10608<\/strong>. At\u00a0least 766 hosts spanning multiple geographic regions and cloud providers\u00a0have been compromised as part\u00a0of the\u00a0activity.<\/p>\n<p>\u00abPost-compromise, UAT-10608 leverages automated scripts for extracting and exfiltrating credentials from a variety of applications,\u00a0that are then\u00a0posted to its command-and-control (C2),\u00bb security researchers\u00a0 Asheer Malhotra and Brandon\u00a0White <a href=\"https:\/\/blog.talosintelligence.com\/uat-10608-inside-a-large-scale-automated-credential-harvesting-operation-targeting-web-applications\/\">said<\/a> in a report shared with The Hacker News ahead of publication.<\/p>\n<p>\u00abThe C2 hosts a web-based graphical user interface (GUI) titled &#8216;NEXUS Listener&#8217; that\u00a0can be\u00a0used to view stolen information and gain analytical insights using precompiled statistics on credentials harvested and hosts compromised.\u00bb<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/vpn-risk-report-inside-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgWajeG0cdaapf1GKTZRUZUB7BzuYGegyw5k0eAorJXlmkFdYCCeLXXhXYJuXU9lWD33rV6rRnIyly3czoNfYifpxk1eGA5slItPmim3HkubXoQMgC4J7hdQPywxGbWq7Eqeff_o6s2Fq-WmSFd5guwdLn7IqpveMqULqtVnd-ndnljWYGj45EkMFB7m0qm\/s728-e100\/z-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The\u00a0campaign is\u00a0assessed to be targeting Next.js\u00a0applications that are vulnerable\u00a0to CVE-2025-55182 (CVSS score: 10.0), a critical flaw in React Server Components and Next.js\u00a0App Router that could result in remote code execution, for initial access, and then dropping the NEXUS Listener collection framework.<\/p>\n<p><a name=\"more\"\/><\/p>\n<p>This\u00a0is accomplished by means of a dropper that proceeds to deploy a multi-phase harvesting script that collects various details from the compromised system\u00a0&#8211;<\/p>\n<ul>\n<li>Environment variables<\/li>\n<li>JSON-parsed environment from JS runtime<\/li>\n<li>SSH private keys and authorized_keys<\/li>\n<li>Shell command history<\/li>\n<li>Kubernetes service account tokens<\/li>\n<li>Docker container configurations (running containers, their images, exposed ports, network configurations, mount points, and environment variables)<\/li>\n<li>API keys<\/li>\n<li>IAM role-associated temporary credentials by querying the Instance Metadata Service for AWS, Google Cloud, and Microsoft Azure<\/li>\n<li>Running processes<\/li>\n<\/ul>\n<p>The cybersecurity\u00a0company said the breadth of the victim set and the indiscriminate targeting pattern align with automated scanning, likely leveraging\u00a0services like Shodan, Censys, or custom scanners, to identify publicly reachable Next.js\u00a0deployments and probe them for the vulnerability.<\/p>\n<p>Central to the framework is a password-protected web application that makes all the stolen data available to the operator via a graphical user interface that features search capabilities to sift through the information.<\/p>\n<p>\u00abThe application contains a listing of several statistics, including the number of hosts compromised and the total number of each credential type\u00a0that were successfully\u00a0extracted from those hosts,\u00bb Talos said. \u00abThe web application allows a user to browse through all of the compromised hosts. It\u00a0also lists the uptime of the application\u00a0itself.\u00bb<\/p>\n<p>The current version of NEXUS Listener is V3, indicating that the tool has undergone substantial development iterations before reaching the current\u00a0stage.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Talos, which was able to obtain data from an unauthenticated NEXUS Listener instance, said it contained API keys associated with Stripe, artificial intelligence platforms (OpenAI, Anthropic, and NVIDIA NIM), communication services (SendGrid and Brevo), along with Telegram bot tokens, webhook secrets, GitHub and GitLab tokens, database connection strings, and other application\u00a0secrets.<\/p>\n<p>The extensive data gathering operation highlights how bad actors could weaponize access to compromised hosts to stage follow-on attacks. Organizations are\u00a0advised to audit their environments to enforce the principle of least privilege, enable secret scanning, avoid reusing SSH key pairs, implement IMDSv2 enforcement on all AWS EC2 instances, and rotate credentials if compromise is suspected.<\/p>\n<p>\u00abBeyond the immediate operational value of individual credentials, the aggregate dataset represents a detailed map of the victim organizations&#8217; infrastructure: what services they run,\u00a0how they&#8217;re configured, what cloud providers they use, and what third-party integrations are in place,\u00bb the researchers\u00a0said.<\/p>\n<p>\u00abThis intelligence has significant value for crafting targeted follow-on attacks, social engineering campaigns, or selling access to other threat\u00a0actors.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Apr 02, 2026Vulnerability \/ Threat Intelligence A\u00a0large-scale credential harvesting operation\u00a0has been\u00a0observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web&hellip;<\/p>\n","protected":false},"author":1,"featured_media":482,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[278,446,1046,120,338,1047,151,571],"class_list":["post-481","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-breach","tag-credentials","tag-cve202555182","tag-exploit","tag-hackers","tag-hosts","tag-next-js","tag-steal"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/481","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=481"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/481\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/482"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=481"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=481"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=481"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}