John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Someone built a credential-stealing factory with a web dashboard, charts, filters, and per-host drill-downs. It looks like a SaaS product. It basically is one.
Cisco Talos published research on UAT-10608, a threat group running a framework called NEXUS Listener (now on version 3, so they’ve been iterating). It exploits CVE-2025-55182, a CVSS 10.0 RCE in React Server Components. Send a crafted request, get arbitrary code execution. No auth needed.
In 24 hours, they popped 766 hosts. Every single one was running code that’d been unpatched for four months or longer. The patch has been available since December 2025.
Once inside, the automated pipeline loots everything: database credentials (91.5% of targets), SSH private keys (78%), AWS creds (25%), Stripe API keys (11%), environment variables, Kubernetes tokens, shell history. All of it funnels into a searchable database the operator can browse at leisure.
If you run Next.js in production, check your React Server Components version right now. If you were running a vulnerable version at any point since December, assume compromise and rotate everything: database creds, SSH keys, API tokens, cloud credentials.
The attacker didn’t need to be clever. They just needed to be faster than your patch cycle. They were. By four months.