The stolen information could help intruders plan follow-up attacks and breach more organizations, Cisco researchers said.

A large-scale cyberattack campaign is exploiting the React2Shell vulnerability to harvest sensitive credentials from exposed servers, compromising everything from AI platform API keys to cloud infrastructure access. The campaign highlights the growing risks associated with unsecured modern web applications and the increasing sophistication of automated threat operations.

The attackers are targeting internet-facing systems running vulnerable React Server Components, using the React2Shell flaw to upload malicious payloads without requiring authentication. Once deployed, the payload enables arbitrary code execution, giving threat actors direct access to compromised environments and the ability to extract critical data.

At the center of the campaign is a highly automated, multi-phase credential-harvesting tool designed to collect a wide range of sensitive information at scale. This includes API keys, SSH credentials, cloud tokens, and environment variables – effectively providing attackers with deep visibility into enterprise systems and services.

The scale of the attack is significant, with at least 766 servers already compromised across multiple regions. The activity appears to be opportunistic rather than targeted, impacting organizations across industries without geographic preference. The threat actor behind the campaign has been identified as UAT-10608, though further attribution details remain unclear.

Once harvested, the stolen data is transmitted to an attacker-controlled infrastructure powered by a web application known as NEXUS Listener. This platform enables organized storage and easy access to compromised credentials, turning the collected data into a structured repository that can be leveraged for further attacks or monetization.

The breadth of exposed data underscores the severity of the breach. Compromised credentials include API keys for leading AI platforms such as OpenAI and Anthropic, as well as access tokens for widely used developer and cloud services. Sensitive financial infrastructure has also been impacted, with secret keys for Stripe discovered among the stolen data.

Cloud environments are particularly at risk, with attackers gaining access to Amazon Web Services (AWS) keys and Microsoft Azure subscription credentials. Additionally, GitHub tokens, Docker metadata, and Kubernetes access tokens have been exposed, increasing the likelihood of supply chain compromise and infrastructure manipulation.

The inclusion of SSH private keys further amplifies the threat, enabling attackers to move laterally across trusted systems and expand their reach within compromised networks. Access to command-line activity logs also provides valuable intelligence, allowing threat actors to refine their strategies for follow-up attacks, data exfiltration, or operational disruption.

This campaign demonstrates how a single vulnerability in modern application frameworks can be leveraged to orchestrate large-scale, automated attacks with far-reaching consequences. As organizations continue to adopt cloud-native technologies and AI-driven tools, securing exposed services and managing credentials effectively has become a critical priority.

The React2Shell exploitation campaign serves as a stark reminder that vulnerabilities in widely used development frameworks can quickly evolve into major security incidents, particularly when combined with automation and credential harvesting techniques.

Recommended Cyber Technology News :

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com  



🔒 Login or Register to continue reading