A massive credential harvesting operation codenamed UAT-10608 has been discovered exploiting the React2Shell vulnerability to steal crypto-related credentials at scale. The attack targets database credentials, SSH private keys, AWS secrets, shell command history, Stripe API keys, and GitHub tokens across at least 766 compromised hosts spanning multiple geographic regions and cloud providers. Cisco Talos attributes this sophisticated operation to a threat cluster that uses automated scripts for credential extraction and exfiltration to command-and-control servers. The campaign particularly threatens crypto developers and traders who store API keys and wallet credentials on compromised systems. Post-compromise, attackers leverage automated scripts to extract sensitive information from various applications before posting to C2 infrastructure, creating ongoing risks for cryptocurrency operations and trading platforms.