← Back to BrewedIntel
adversaryhighCredential HarvestingVulnerability ExploitationUAT-10608

Apr 06, 2026 • Elizabeth Montalbano

Automated Credential Harvesting Campaign Exploits React2Shell Flaw

Threat cluster UAT-10608 is conducting automated credential harvesting campaigns targeting vulnerable web-exposed Next.js applications. The attack exploits...

Source
Dark Reading
Category
adversary
Severity
high

Executive Summary

Threat cluster UAT-10608 is conducting automated credential harvesting campaigns targeting vulnerable web-exposed Next.js applications. The attack exploits the React2Shell flaw to deploy automated tools for exfiltrating credentials, secrets, and system data. Organizations with internet-facing Next.js deployments are at significant risk of credential compromise and unauthorized system access. Immediate mitigation priorities include patching affected applications, restricting web exposure, implementing multi-factor authentication, and monitoring for suspicious credential access patterns. Security teams should audit exposed applications for React2Shell vulnerabilities and apply available security updates promptly.

Summary

An emerging threat cluster tracked as UAT-10608 is exploiting vulnerable Web-exposed Next.js apps and using an automated tool to exfiltrate credentials, secrets, and other system data.

Published Analysis

Threat cluster UAT-10608 is conducting automated credential harvesting campaigns targeting vulnerable web-exposed Next.js applications. The attack exploits the React2Shell flaw to deploy automated tools for exfiltrating credentials, secrets, and system data. Organizations with internet-facing Next.js deployments are at significant risk of credential compromise and unauthorized system access. Immediate mitigation priorities include patching affected applications, restricting web exposure, implementing multi-factor authentication, and monitoring for suspicious credential access patterns. Security teams should audit exposed applications for React2Shell vulnerabilities and apply available security updates promptly. An emerging threat cluster tracked as UAT-10608 is exploiting vulnerable Web-exposed Next.js apps and using an automated tool to exfiltrate credentials, secrets, and other system data. An emerging threat cluster tracked as UAT-10608 is exploiting vulnerable Web-exposed Next.js apps and using an automated tool to exfiltrate credentials, secrets, and other system data.

Linked Entities

  • UAT-10608
Read original source