Cyber Threat Brief — April 4 2026
⚠️ This report is AI-generated. Always validate findings.
1. UAT-10608 Mass Credential Harvesting via React2Shell — CVE-2025-55182
TL;DR: Cisco Talos disclosed a large-scale automated credential harvesting campaign by UAT-10608 exploiting React2Shell (CVE-2025-55182, CVSS 10.0) in Next.js apps. 766+ hosts compromised, 10K+ files exfiltrated including AWS keys, SSH keys, Stripe tokens, and database credentials.
What’s New:
- Talos published April 2: UAT-10608 uses automated scanning (Shodan/Censys-derived target lists) to find vulnerable Next.js deployments and exploit React Server Components insecure deserialization for unauthenticated RCE
- Multi-phase “NEXUS Listener” framework deployed post-exploitation: harvests
.envfiles, shell history, SSH private keys, AWS secrets, GitHub tokens, Stripe API keys, and database credentials - 766+ compromised hosts across multiple cloud providers and geographic regions; 10,000+ files collected
- Post-exploitation artifacts: randomized dot-prefixed scripts in
/tmp/(e.g.,/tmp/.e40e7da0c.sh),nohupprocess invocations, outbound HTTPS to non-production endpoints - Snort SID 65554 released for CVE-2025-55182 exploitation detection; full IOC set on Talos GitHub
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| 144.172.102[.]88 | Attacker IP | T1190 | Firewall, WAF, proxy logs | Block and hunt in last 30 days |
| 172.86.127[.]128 | Attacker IP | T1190 | Firewall, WAF, proxy logs | Block and hunt in last 30 days |
| 144.172.112[.]136 | Attacker IP | T1190 | Firewall, WAF, proxy logs | Block and hunt in last 30 days |
| 144.172.117[.]112 | Attacker IP | T1190 | Firewall, WAF, proxy logs | Block and hunt in last 30 days |
/tmp/.<hex_string>.sh | Post-exploit dropper | T1059.004 | Sysmon for Linux, EDR, auditd | Hunt for dot-prefixed scripts created in /tmp on web servers |
nohup spawned by web process | Persistence mechanism | T1059.004 | Process creation logs, EDR | Alert on nohup invocations by Node.js/Next.js parent processes |
__NEXT_DATA__ with server-side secrets | Data exposure indicator | T1552.001 | WAF, application logs | Scan rendered HTML responses for leaked secrets in NEXT_DATA |
| Next.js < 14.2.35 / < 15.0.5 | Vulnerable version | T1190 | Software inventory, SBOM | Audit all Next.js deployments; upgrade to patched versions |
| Outbound HTTPS to non-production IPs | C2/exfiltration | T1041 | NDR, proxy, firewall | Baseline web server outbound connections; alert on anomalies |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None specific | Need: Next.js/Node.js process spawning shell scripts in /tmp; anomalous outbound from web containers |
| Elastic | None specific | Need: Linux web server child process anomaly detection for Node.js apps |
| Sigma | proc_creation_linux_webshell_detection.yml (partial) | Need: Node.js-specific variant; nohup + /tmp dot-prefixed file creation rule |
| Snort | SID 65554 (CVE-2025-55182) | Network-level detection available; deploy on perimeter |
Sources: Cisco Talos Blog · SecurityWeek · The Hacker News
Status Updates
- CVE-2026-4681 (PTC Windchill/FlexPLM): CISA published ICS advisory ICSA-26-085-03 March 26. Still no patch — PTC recommends disconnecting from internet and applying Apache/IIS servlet path deny rules. German police continue physical outreach to affected orgs. Original brief.
- CVE-2026-3055 (Citrix NetScaler ADC/Gateway): Federal KEV deadline passed April 2. Active exploitation ongoing via SAMLRequest to /saml/login and /wsfed/passive?wctx paths. Metasploit module available. Original brief.
- CVE-2026-20131 (Cisco Secure Firewall MC): Interlock ransomware exploitation ongoing. No new artifacts. Original brief.
- CVE-2025-53521 (F5 BIG-IP APM): UNC5221 BRICKSTORM exploitation ongoing. Federal deadline passed March 30. No new artifacts. Original brief.