A large-scale credential harvesting campaign has been uncovered, leveraging the React2Shell vulnerability to compromise over 750 systems. The attackers utilized automated scanning techniques to identify vulnerable targets, followed by the deployment of the Nexus Listener collection framework to extract sensitive credentials. This campaign highlights the severity of the React2Shell exploit, which can be used to gain unauthorized access to vulnerable systems. The use of automated scanning and specialized frameworks like Nexus Listener has enabled the attackers to scale their operations, resulting in a significant number of compromised systems. The attackers' ability to exploit this vulnerability has significant implications for organizations that have not applied the necessary patches or mitigations1. This campaign matters to security practitioners because it demonstrates the importance of prompt patching and vulnerability management in preventing large-scale credential harvesting attacks.