GoKawiilHackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps.
At least 766 hosts across various cloud providers and geographies have been compromised to collect database and AWS credentials, SSH private keys, API keys, cloud tokens, and environment secrets.
The operation uses a framework named NEXUS Listener and leverages automated scripts to extract and exfiltrate sensitive data from various applications.
Cisco Talos attributes the activity to a threat cluster tracked as UAT-10608. The researchers gained access to an exposed NEXUS Listener instance, allowing them to analyze the type of data harvested from compromised systems and understand how the web application operates.
The main panel of Nexus Listener
Source: Cisco Talos
Automated secret harvesting
The attack begins with automated scanning for vulnerable Next.js apps, which are breached via the React2Shell vulnerability. A script that executes a multi-phase credential-harvesting routine is placed in the standard temporary directory.
According to Cisco Talos researchers, the data stolen this way includes:
Environment variables and secrets (API keys, database credentials, GitHub/GitLab tokens)
... continue reading