Maximum severity React2Shell flaw exploited by North Korean hackers in malware attacks

• React2Shell (CVE-2025-55182) critical flaw exploited by Chinese and North Korean groups
• North Korea deploys EtherRAT implant with Ethereum C2, Linux persistence, and Node.js runtime
• Researchers urge urgent updates to patched React versions 19.0.1, 19.1.2, and 19.2.1

The Chinese are not the only ones exploiting React2Shell, a maximum-severity vulnerability that was recently discovered in React Server Components (RSC).

Reports are coming in detailing North Korean state-sponsored threat actors doing the same. The only difference is that the North Koreans are using the flaw to deploy a novel persistence mechanism malware.

Late last week, the React team published a security advisory detailing a pre-authentication bug in multiple versions of multiple packs, affecting RCS. The versions that are affected include 19.0, 19.1.0, 19.1.1, and 19.2.0, react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. The bug, now dubbed 'React2Shell', is tracked as CVE-2025-55182, and is given a severity score of 10/10 (critical).

Catch the price drop- Get 30% OFF for Enterprise and Business plans

The Black Friday campaign offers 30% off for Enterprise and Business plans for a 1- or 2-year subscription. It’s valid until December 10th, 2025. Customers must enter the promo code BLACKB2B-30 at checkout to redeem the offer.

View Deal

More sophisticated attacks

Since React is one of the most popular JavaScript libraries out there and powers much of today’s internet, researchers warned that exploitation was imminent, urging everyone to apply the fix without delay and update their systems to versions 19.0.1, 19.1.2, and 19.2.1.

Just days later, researchers reported seeing China-linked groups, Earth Lamia and Jackpot Panda, using the bug to target organizations in different verticals, and Sysdig came back with similar results.

This security outfit found a novel implant from a compromised Next.js application dubbed EtherRAT. Compared to what Earth Lamia and Jackpot Panda were doing, EtherRAT is “far more sophisticated”, representing a persistent access implant that combines the techniques from at least three documented campaigns.

“EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org,” the researchers explained. “This combination of capabilities has not been previously observed in React2Shell exploitation.”

Allegedly, there are quite a few things here that resemble Contagious Interview, an infamous North Korean hacking campaign that involves inviting high-value targets to fake job interviews, during which different infostealers are deployed.

Via The Hacker News

The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.