In late 2024, Casmer Labs tracked a breach affecting global legal data company LexisNexis, where information affecting over 360000 people was stolen. Albeit in a different manner, the organization was hit again in early March 2026, with attackers claiming possession of over 4000000 stolen personal information records. While the first incident was a third-party supply chain compromise, the March 2026 breach exposed holes in LexisNexis’ cloud environment.

What Happened?

The March 2026 incident is yet another proof point for the idea that perimeter defenses are obsolete when the interior is left unmonitored.

1. The attacker group FulcrumSec bypassed traditional firewalls by targeting an unpatched React frontend application (CVE-2025-55182) deployed in the LexisNexus AWS environment. A malicious payload was injected, granting the attackers RCE abilities via a flaw known as React2Shell.
2. Once inside the compromised container, the attackers employed “living off the land” tactics , primarily leveraging an ECS task role that was vastly overpermissive. In order to extract the IAM credentials from this role, they queried the local metadata endpoint.
3. After successful privilege escalation, they enumerated the AWS Secrets Manager via the AWS API. 53 plaintext secrets were extracted, including master credentials for the production Amazon Redshift data warehouse.
4. Masking their exfiltration as legitimate database queries, 2.04GB of data was stolen, including 400000 user profiles, federal government personnel records, and enterprise customer contracts.

Why It Matters

In the immediate aftermath, LexisNexis attempted to minimize the blast radius by claiming compromised servers contained “mostly legacy, deprecated data.” Regardless, this begs the question: What was it doing there, and why were attackers able to steal it? Generally, the answer is that perimeter or endpoint security is critical- but in actual cloud environments, that perimeter can be porous.

While the attack could have been prevented entirely by patching the React vulnerability, a mix of appropriately configured credentials and exfiltration monitoring could have stopped the attack even after the attackers gained initial access.

IOCs and Prevention Methods

• Suspicious HTTP requests to Server Function endpoints attempting to trigger the React Blob Handler (closely associated with CVE-2025-55182)
• Anomalous API calls to AWS Secrets Manager originating from an ECS task role, or anomalous querying of local metadata endpoints (169.254.169.254)
• Traffic to known FulcrumSec identifiers, such as fulcrumsec@tuta.io, threatspians@fulcrumsec.net, the Tox protocol, and other channels