UAT-10608 is a large-scale automated credential-harvesting campaign disclosed by Cisco Talos on April 2, 2026, targeting web applications using Next.js frameworks that are vulnerable to the React2Shell (CVE-2025-55182) remote code execution flaw. 

The threat cluster leverages an automated toolkit, NEXUS Listener, to exploit publicly accessible React Server Components without authentication, then deploys scripts to harvest and exfiltrate credentials, SSH keys, and cloud tokens.  As disclosed, the campaign compromised at least 766 hosts across multiple regions, collecting over 10,000 files, including database credentials, AWS access keys, and live Stripe API secrets. 

Key characteristics of the operation include:

Initial Access: Exploitation of CVE-2025-55182 via malicious serialized payloads sent to Server Function endpoints. 

Data Collection: Automated scripts run in phases to dump environment variables, SSH keys, Kubernetes tokens, and cloud metadata. 

Command and Control: Exfiltrated data is stored on a password-protected web GUI titled \"NEXUS Listener,\" which provides operators with statistical insights and search capabilities for harvested data. 

Impact: Approximately 91.5% of compromised hosts had database credentials, 78.2% had SSH private keys, and 25.6% had AWS credentials exposed.