UAT-10608 Collective Hijacked 700+ Next.js Servers in Hours

Cybersecurity specialists have chronicled a voluminous, automated campaign for credential harvesting that, within a mere matter of hours, besieged hundreds of servers across the globe. The offensive unfolded with minimal human intervention, preying upon a vulnerability within ubiquitous web applications to transmute them into fountains of confidential intelligence.

The Cisco Talos vanguard has unmasked the maneuvers of a collective designated as UAT-10608. These adversaries target applications predicated upon Next.js, weaponizing the React2Shell frailty (CVE-2025-55182), which facilitates unauthorized remote code execution upon the server. Through this breach, a sequence of autonomous scripts is ignited to harvest telemetry and exfiltrate it to a command-and-control nexus.

According to the dossier, at least 766 nodes have been compromised. In the majority of instances, the marauders extracted database connection strings, SSH keys, and cloud credentials. Approximately one-quarter of the afflicted systems suffered the compromise of Amazon Web Services resources, alongside GitHub tokens and auxiliary services.

At the heart of the offensive infrastructure lies the NEXUS Listener—a web application endowed with a graphical interface where the plundered data is aggregated. This dashboard empowers the assailants to surveil statistics, filter intelligence, and scrutinize compromised hosts. In one particular event, the exposure of such a panel facilitated an intricate study of the operation’s internal architecture.

The attack sequence is architected in discrete echelons. Following the primordial breach, a compact loader is enshrined upon the server to summon the primary script. This entity systematically harvests environment variables, access keys, command histories, container telemetry, and Kubernetes tokens. Following each phase, the intelligence is transmitted to the management server.

The acquired telemetry bestows expansive opportunities for subsequent incursions. Purloined payment system keys facilitate illicit financial transactions; cloud credentials permit the orchestration of infrastructure; and SSH keys enable lateral movement within a network. A sequestered peril resides in the access to package registries, which poses a dire threat of supply chain subversion.

Analysis indicates that the adversaries likely employ automated internet reconnaissance, focusing upon exposed services and their configurations. Such a paradigm allows for the rapid identification of vulnerable systems and the scaling of offensives without manual labor.

Specialists have already alerted the afflicted parties and are collaborating with providers to sequester the compromised data. Organizations are urgently exhorted to rejuvenate their systems, rotate access keys, and rigorously audit the configurations of their cloud and containerized infrastructures.