UAT-10608 Launches Automated Next.js Exploitation Campaign
A sophisticated threat cluster designated UAT-10608 has launched a large-scale automated campaign targeting vulnerable Next.js applications exposed to the internet. The attackers are leveraging a custom tool called React2Shell to systematically identify, compromise, and exfiltrate sensitive data from affected web applications. Security researchers first detected this campaign in late March 2026, with activity spiking significantly throughout the first week of April.
The React2Shell framework represents a significant evolution in automated web application exploitation. Unlike traditional vulnerability scanners that simply identify weaknesses, this tool combines reconnaissance, exploitation, and data exfiltration into a single automated workflow. The attackers specifically target Next.js applications because of their widespread adoption in enterprise environments and the common misconfigurations that leave sensitive endpoints exposed.
According to BleepingComputer's analysis, the campaign operates through a multi-stage process. First, React2Shell performs automated reconnaissance to identify Next.js applications by analyzing HTTP response headers, JavaScript frameworks, and specific file structures. The tool then probes for common vulnerabilities including server-side request forgery (SSRF), path traversal, and exposed API endpoints that leak environment variables or configuration files.
Once a vulnerable application is identified, React2Shell automatically deploys payloads designed to extract credentials, API keys, database connection strings, and other sensitive configuration data. The tool specifically targets Next.js environment files, configuration directories, and memory dumps that often contain plaintext secrets. The entire process from initial reconnaissance to data exfiltration typically completes within minutes, making detection challenging for organizations without robust monitoring systems.
The UAT-10608 group appears to be financially motivated, with evidence suggesting they're selling harvested credentials on underground markets. Security researchers have observed the group targeting organizations across multiple sectors, with particular focus on e-commerce platforms, financial services, and software-as-a-service providers that commonly deploy Next.js applications for their web interfaces.
Next.js Applications Face Widespread Exposure Risk
Organizations running web-exposed Next.js applications are the primary targets of this campaign, with particular risk for those using versions 12.0 through 14.1 that contain known vulnerabilities or misconfigurations. The React2Shell tool specifically targets applications with exposed development endpoints, improperly configured environment variable handling, or insufficient input validation on API routes. Companies that have deployed Next.js applications without proper security hardening face the highest risk of compromise.
The campaign shows a clear preference for targeting enterprise environments where Next.js applications handle sensitive business data. E-commerce platforms using Next.js for their storefronts are particularly vulnerable, as these applications often contain payment processing credentials, customer databases, and third-party API keys. Financial services organizations that have adopted Next.js for customer portals or internal dashboards also represent high-value targets for the UAT-10608 group.
Small to medium-sized businesses appear disproportionately affected by this campaign, likely due to limited security resources and less comprehensive monitoring capabilities. Many of these organizations deploy Next.js applications with default configurations that leave sensitive endpoints accessible, making them easy targets for automated exploitation tools like React2Shell. The global nature of this campaign means organizations in all geographic regions face potential exposure, with no indication that attackers are limiting their scope to specific countries or regions.
Development teams that use Next.js for both production and staging environments face additional risk, as React2Shell often targets development instances that contain production-equivalent credentials but lack proper security controls. Organizations that haven't implemented proper secrets management or continue to store sensitive configuration data in environment files accessible to web applications are at particularly high risk of successful exploitation.
Defending Against React2Shell and UAT-10608 Exploitation
Organizations can implement several immediate defensive measures to protect against React2Shell exploitation attempts. First, administrators should audit all Next.js applications for exposed development endpoints and API routes that might leak sensitive information. This includes checking for accessible /.env files, /api/debug endpoints, and any routes that return system configuration data without proper authentication. Next.js applications should be configured to disable development mode features in production environments and implement strict access controls on all API endpoints.
Network-level protections provide another critical defense layer against this automated campaign. Organizations should implement web application firewalls (WAF) configured to detect and block reconnaissance patterns associated with React2Shell. This includes monitoring for rapid sequential requests to common Next.js file paths, unusual user-agent strings associated with automated tools, and attempts to access environment files or configuration directories. Rate limiting on API endpoints can also help prevent automated exploitation attempts from succeeding.
Proper secrets management represents the most effective long-term defense against credential harvesting attacks like those conducted by UAT-10608. Organizations should migrate all sensitive configuration data from environment files to dedicated secrets management solutions like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault. Next.js applications should be configured to retrieve secrets at runtime rather than storing them in accessible configuration files. Additionally, all API keys and database credentials should be rotated immediately if there's any suspicion of compromise.
Security teams should implement comprehensive monitoring for indicators of React2Shell activity, including unusual outbound network connections from web servers, unexpected file access patterns, and API requests that attempt to retrieve environment variables or configuration data. SecurityWeek's research indicates that organizations with robust logging and monitoring capabilities can detect React2Shell exploitation attempts within the first few minutes of an attack, significantly reducing the potential for successful data exfiltration.
