Security researchers have identified a massive credential harvesting operation exploiting the React2Shell vulnerability (CVE-2025-55182) as an initial infection vector. The campaign, attributed to threat cluster UAT-10608, has compromised at least 766 hosts spanning multiple geographic regions and cloud providers. Post-compromise, automated scripts extract and exfiltrate credentials from various applications, including database credentials, SSH private keys, AWS secrets, shell command history, Stripe API keys, and GitHub tokens.
The operation demonstrates the scale and sophistication of modern credential theft campaigns, with stolen data being posted to command-and-control servers for further exploitation. The React2Shell vulnerability affects Next.js applications and allows attackers to execute arbitrary code through server-side request forgery. Organizations using affected frameworks are advised to immediately patch systems and conduct security audits to identify potential compromises.
