A large-scale credential harvesting campaign has been observed targeting Next.js applications vulnerable to CVE-2025-55182, a critical flaw in React Server Components and Next.js App Router that allows remote code execution. At least 766 hosts across multiple regions and cloud providers have been compromised, with attackers using the vulnerability as an initial infection vector to deploy a collection framework known as NEXUS Listener. Cisco Talos has attributed the operation to a threat cluster tracked as UAT-10608, noting that the campaign extracts sensitive data at an unprecedented scale.
Security researchers Asheer Malhotra and Brandon White reported that post compromise, the attackers leveraged automated scripts to gather database credentials, SSH private keys, AWS secrets, shell command history, Stripe API keys, GitHub and GitLab tokens, Kubernetes service account tokens, and other application secrets. The stolen data is then exfiltrated to a command-and-control environment featuring a password-protected web-based graphical user interface, which allows operators to search, sort, and analyze harvested credentials while monitoring the status of compromised hosts. The current iteration of this tool, NEXUS Listener V3, reflects multiple development stages prior to reaching its present form.
The attack employs a multi-phase dropper that collects environment variables, runtime data from JavaScript processes, container configurations, running processes, and temporary IAM credentials from AWS, Google Cloud, and Microsoft Azure instances. The breadth of the compromise indicates automated scanning of publicly reachable Next.js deployments using tools such as Shodan, Censys, or custom-built scanners. Cisco Talos emphasized that beyond the immediate value of individual credentials, the aggregate dataset provides a detailed map of the victim organizations’ infrastructure, including service configurations, cloud usage, and third-party integrations. This intelligence could facilitate targeted follow-on attacks or the sale of access to other threat actors.
Talos also obtained data from an exposed NEXUS Listener instance, revealing API keys for Stripe, AI platforms including OpenAI, Anthropic, and NVIDIA NIM, communication services like SendGrid and Brevo, Telegram bot tokens, webhook secrets, and database connection strings. Organizations are advised to audit their environments, enforce least privilege principles, enable secret scanning, rotate compromised credentials, and implement IMDSv2 enforcement for AWS EC2 instances. Researchers noted that attacks of this scale demonstrate how the combination of critical application vulnerabilities and sophisticated harvesting frameworks can be weaponized to gain extensive operational insight and control over targeted infrastructures, emphasizing the need for proactive monitoring and rapid mitigation in modern cloud and web application environments.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
