UAT-10608: Inside a large-scale automated credential harvesting operation targeting web applications

Cisco Talos discloses an active, automated credential-harvesting campaign (UAT-10608) that leverages a pre-auth remote code execution vulnerability in React Server Components (React2Shell, CVE-2025-55182) against Next.js applications to deploy scripts that exfiltrate environment secrets, SSH private keys, cloud tokens, and API keys to a web-based C2 called NEXUS Listener; Talos observed at least 766 compromised hosts, exposed high-value credentials (AWS, Stripe, GitHub, SSH), provides IOCs, and issues remediation and mitigation guidance.