{"id":7698,"date":"2026-04-03T19:10:56","date_gmt":"2026-04-03T19:10:56","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7698"},"modified":"2026-04-03T19:10:56","modified_gmt":"2026-04-03T19:10:56","slug":"security-lapse-lets-researchers-view-react2shell-hackers-dashboard","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7698","title":{"rendered":"Security lapse lets researchers view React2Shell hackers\u2019 dashboard"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

An apparent security lapse has allowed researchers to peer into the work of a threat group currently exploiting unpatched servers open to the four-month-old React2Shell vulnerability to steal login credentials, keys, and tokens at scale.<\/p>\n

Researchers from Cisco Systems\u2019 Talos threat intelligence team who made the discovery said Thursday<\/a> that the data harvested by an unattributed group they call UAT-10608 went to a password protected database behind a web application. However, that application was at one point exposed, allowing the researchers to see data that had been harvested from compromised systems.<\/p>\n

Credentials, as well as Auth tokens and more, that have been stolen so far come from instances of AWS, Microsoft Azure, OpenAI, Anthropic, Nvidia NIM, OpenRouter, Tavily, payment processor Stripe, and GitHub.<\/p>\n

The web application allows a user to browse all of\u00a0the compromised hosts.\u00a0A given host can then be selected, bringing up a menu with\u00a0all of\u00a0the exfiltrated data corresponding to each phase of the harvesting script \u2013 a bonus to the researchers.\u00a0<\/p>\n

The discovery is a prime reason for IT pros with React servers in their environment who haven\u2019t yet addressed this vulnerability to act quickly, before corporate credentials are stolen. To help blunt the attack, victims, and service providers with exposed and at-risk credentials, including AWS and GitHub, are being notified.<\/p>\n

One notable statistic: The automated exploitation and harvesting framework was able to successfully compromise 766 hosts within a 24 hour period.<\/p>\n

At risk are Next.js applications vulnerable to CVE-2025-55182, a pre-authentication remote code execution vulnerability known as React2Shell. A fix was issued four months ago.<\/a><\/p>\n

Multi-phase attack<\/h2>\n

Once a host is compromised, the campaign deploys a multi-phase credential harvesting tool that collects usernames, passwords, SSH keys, cloud tokens, and environment secrets, at scale.<\/p>\n

\u201cThe breadth of the victim\u00a0set\u00a0and the indiscriminate targeting pattern is consistent with automated scanning,\u201d says Cisco Talos, \u201clikely\u00a0based\u00a0on host profile data from services\u00a0like\u00a0Shodan,\u00a0Censys,\u00a0or custom scanners to\u00a0enumerate\u00a0publicly reachable Next.js deployments and probe them for the described React configuration vulnerabilities.\u201d<\/p>\n

The attacker crafts a malicious serialized payload designed to abuse the deserialization\u00a0routine,\u00a0a technique commonly used to trigger arbitrary object instantiation or\u00a0method\u00a0invocation\u00a0on a server. The payload is sent via an HTTP request directly to a Server Function endpoint; no\u00a0authentication\u00a0is\u00a0required.\u00a0The server deserializes the malicious payload, resulting in arbitrary code execution in the\u00a0server-side Node.js process.\u00a0<\/p>\n

The initial React exploit delivers a small dropper that fetches and runs a multi-phase harvesting script.\u00a0Upon execution,\u00a0the harvesting\u00a0script goes through several phases to collect various data from the compromised system, which is then uploaded to a command and control server where it is loaded into a database.\u00a0<\/p>\n

Industrial scale<\/h2>\n

\u201cThis is all about neglect and efficiency,\u201d Gene Moody<\/a>, field CTO at patch management provider Action1, told CSO<\/em> . \u201cReact2Shell quickly met all the criteria attackers look for: public disclosure, reliable exploitation, and internet-facing exposure. That combination effectively guaranteed widespread abuse. Since then, multiple campaigns have automated the full [attack] lifecycle [of], scanning, exploitation, and credential harvesting, with little to no human intervention.\u201d<\/p>\n

Attackers operate at industrial scale, he added. Platforms like Shodan and Censys already index much of the internet, making vulnerable systems trivial to find. With the finite IP space, comprehensive scanning can be completed in well under an hour on even the most modest of modern computers\/internet connections.<\/p>\n

\u201cThere is no meaningful obscurity left for exposed systems,\u201d he added. \u201cTo be honest, there never really was.\u201d<\/p>\n

\u2018Attack started when you failed to patch\u2019<\/h2>\n

The result is predictable, Moody said: Unpatched systems are not \u2018at risk\u2019, they are in a queue. Discovery is fast, exploitation is fast, and compromise is often automated end-to-end. \u201cReact2Shell is a perfect example of how quickly attackers can turn a known issue into a sustained revenue stream, and have it persist for extended periods of time based on admin complacency,\u201d he said.<\/p>\n

\u201cEven more concerning is what happens after initial access,\u201d he added. \u201cCredential harvesting extends the lifespan of the attack far beyond the original vulnerability. Even if systems are patched later, stolen credentials can enable persistence, lateral movement, and, as a result, means the attack started when you failed to patch. One mistake can turn into every mistake in an instant, with information like this in the wrong hands. The damage could be absolute, with no recovery possible. Businesses have failed for less. When it ends will certainly not be when the patch is applied, unless you got it before being compromised.<\/p>\n

\u201cTreat your patching like a toothache,\u201d he advised. \u201cAt first sign, address it as fast as possible, or only misery follows.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

An apparent security lapse has allowed researchers to peer into the work of a threat group currently exploiting unpatched servers open to the four-month-old React2Shell vulnerability to steal login credentials, keys, and tokens at scale. Researchers from Cisco Systems\u2019 Talos threat intelligence team who made the discovery said Thursday that the data harvested by an […]<\/p>\n","protected":false},"author":0,"featured_media":7699,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7698","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7698"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7698"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7698\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7699"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7698"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7698"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7698"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}