InfoSecBulletin Cybersecurity for mankind
Hackers are misusing React2Shell flaw in Next.js apps to carry out an automatic scheme to steal credentials. This has already affected at least 766 servers in less than 24 hours.
The threat activity is tracked as “UAT‑10608”. It relies on a custom framework dubbed NEXUS Listener to systematically harvest and organize stolen secrets at scale.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
Cisco Talos calls UAT‑10608 a big, automatic campaign that steals login info. It focuses on public Next.js apps that have a weakness called CVE‑2025‑55182, also known as React2Shell.
By linking this pre-authentication remote code execution (RCE) weakness with automated tools used after a breach, the attackers steal passwords, SSH keys, cloud tokens, and secret information without needing more manual work after the first break-in.
Telemetry from an open NEXUS Listener shows at least 766 affected hosts in different areas and cloud services, with the tools set up for wide usage instead of focusing on certain industries.
React2Shell exploitation
React2Shell (CVE‑2025‑55182) is a security flaw with a score of 10.0. It allows attackers to run their code without proper access in React Server Components (RSC). This issue also affects other frameworks that use RSC, like Next.js.
The flaw comes from unsafe deserialization of data from an attacker sent to Server Function points. This lets the attacker run any code they want on the server side in the Node.js process before checking who they are or doing any proper validation.
In this campaign, UAT‑10608 finds a vulnarable internet app. It then sends a special message to a Server Function to cause the deserialization issue.
Successful exploitation results in the execution of a lightweight dropper, which in turn retrieves and launches a multi‑phase shell script without any need for valid credentials.
