NewForTech

Home » Latest » Security » Highest severity React2Shell vulnerability exploited by North Korean hackers for malware attacks

Highest severity React2Shell vulnerability exploited by North Korean hackers for malware attacks

0 hits

Highest severity React2Shell vulnerability exploited by North Korean hackers for malware attacks
2 minutes

Written by

Tech Insider (NewForTech Editorial Team)

in

  • Critical React2Shell Bug (CVE-2025-55182) Exploited by Chinese and North Korean Groups
  • North Korea deploys EtherRAT Rig with Ethereum C2, Linux Persistence and Node.js Runtime
  • Researchers urge urgent updates for patched versions of React 19.0.1, 19.1.2 and 19.2.1

The Chinese are not the only ones exploiting React2Shell, a very serious vulnerability recently discovered in React Server Components (RSC).

Some reports describe state-sponsored North Korean actors doing the same. The only difference is that the North Koreans are exploiting this vulnerability to spread a new type of malware with a persistence mechanism.

Late last week, the React team published a security advisory detailing a pre-authentication bug in multiple versions of various packages that affects RCS. Affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0, React-Server-Dom-Webpack, React-Server-Dom-Parcel, and React-Server-Dom-Turbopack. The bug, now called “React2Shell”, is tracked as CVE-2025-55182 and has a severity rating of 10/10 (Critical).

More advanced attacks

Since React is one of the most popular JavaScript libraries on the market and powers much of the Internet today, researchers warned that an exploit was imminent and urged everyone to immediately apply the patch and update their systems to versions 19.0.1, 19.1.2 and 19.2.1.

Days later, researchers reported that China-affiliated groups Earth Lamia and Jackpot Panda used the flaw to attack organizations across industries, and Sysdig returned with similar results.

This security team has found a new implant that comes from a compromised Next.js application called EtherRAT. Compared to what Earth Lamia and Jackpot Panda did, EtherRAT is “much more advanced” and represents a permanent asset facility that combines techniques from at least three documented campaigns.

“EtherRAT leverages Ethereum’s command and control resolution (C2) smart contract, provides five independent Linux persistence mechanisms, and downloads the Node.js runtime from nodejs.org,” the researchers explain. “This combination of features has never been seen before React2Shell was implemented.”

There are obviously similar elements to Contagious Interview, an infamous North Korean hacking campaign in which high-profile targets are asked to fake job interviews using various information thieves.

IN hacker news