Overview
- Cisco Talos linked the activity to group UAT-10608, which uses CVE-2025-55182 in React Server Components and the Next.js App Router to run code on target servers.
- Attackers rely on automated internet scans to find public Next.js apps and then deploy a script that pulls environment secrets, SSH keys, shell history, Kubernetes tokens, Docker configs, process details, and cloud metadata credentials from AWS, Google Cloud, and Azure.
- Stolen data flows to a web dashboard called NEXUS Listener, where Talos viewed an exposed instance that listed 766 compromised hosts and more than 10,000 collected files.
- The dataset included API keys for Stripe and AI services such as OpenAI and Anthropic, GitHub and GitLab tokens, database connection strings, Telegram bot tokens, and other application secrets.
- Talos warns the cache can fuel follow-on cloud intrusions and urges immediate steps such as auditing exposed Next.js deployments, enforcing AWS IMDSv2, enabling secret scanning, avoiding SSH key reuse, and rotating any suspected credentials.