Cybersecurity researchers have issued warnings regarding two major digital attack campaigns targeting both enterprise and personal accounts. Hackers are currently exploiting the React2Shell vulnerability (CVE-2025-55182) to conduct automated credential theft against applications running on the Next.js framework worldwide.
According to Cisco Talos, at least 766 hosts across various cloud service providers have been compromised. Tracked as UAT-10608, the campaign utilizes a framework dubbed "NEXUS Listener" to automatically harvest database credentials, AWS keys, SSH private keys, API tokens, and various environment secrets.
The attack begins with automated scanning of Next.js applications. Once a vulnerability is identified, hackers inject scripts into temporary directories to extract sensitive data in stages. This information is then exfiltrated via HTTP requests over port 8080 to the attackers' command-and-control servers, granting them full visibility into the compromised system's environment and container configurations.
Surge in Device Code Phishing Attacks
Simultaneously, phishing attacks targeting authentication flows are rapidly evolving. According to a report by Push Security, phishing attacks leveraging the OAuth 2.0 Device Authorization Grant flow have surged 37-fold this year.
This authentication method was originally designed to simplify network connectivity for devices without input interfaces, such as smart TVs and printers. However, hackers are now tricking victims into entering authorization codes on legitimate-looking pages, allowing them to hijack accounts by obtaining valid access tokens.
Push Security researchers noted that while this technique has existed since 2020, the recent proliferation of malicious toolkits has led to an unprecedented spike in abuse. The report states: "As of early March, our research team observed a 15-fold increase in the number of device code phishing pages detected this year, with multiple attack toolkits and campaigns operating simultaneously."
Currently, both state-sponsored threat actors and financially motivated cybercriminal groups have integrated device code phishing into their standard arsenals. Enterprise users are advised to strictly audit OAuth authorization requests and bolster monitoring of cloud environments and API keys to defend against these two escalating automated threats.
