- Critical React2Shell flaw (CVE-2025-55182) exploited by Chinese and North Korean groups
- North Korea deploys EtherRAT implant with Ethereum C2, Linux persistence and Node.js runtime
- Researchers urge urgent updates for patched versions of React 19.0.1, 19.1.2 and 19.2.1
The Chinese are not the only ones exploiting React2Shell, a maximum severity vulnerability that was recently discovered in React Server Components (RSC).
Reports are coming in detailing that North Korean state-sponsored threat actors are doing the same thing. The only difference is that the North Koreans are using the flaw to implement a novel malware persistence mechanism.
Late last week, the React team published a security advisory detailing a pre-authentication bug in multiple versions of multiple packages, affecting RCS. Affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0, react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. The bug, now named ‘React2Shell’, is tracked as CVE-2025-55182 and is assigned a severity score of 10/10 (critical).
More sophisticated attacks
Since React is one of the most popular JavaScript libraries out there and powers much of the Internet today, researchers warned that exploitation was imminent and urged everyone to apply the fix without delay and update their systems to versions 19.0.1, 19.1.2, and 19.2.1.
Just a few days later, researchers reported seeing China-linked groups, Earth Lamia and Jackpot Panda, using the bug to target organizations in different verticals, and Sysdig returned with similar results.
This security team found a new implant of a compromised Next.js application called EtherRAT. Compared to what Earth Lamia and Jackpot Panda were doing, EtherRAT is “much more sophisticated” and represents a persistent access implant that combines techniques from at least three documented campaigns.
“EtherRAT leverages Ethereum smart contracts for command and control (C2) resolution, implements five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org,” the researchers explained. “This combination of capabilities has not previously been observed in the exploitation of React2Shell.”
There’s supposedly quite a bit here that resembles Contagious Interview, an infamous North Korean hacking campaign that involves inviting high-value targets to fake job interviews, during which different information thieves are deployed.
Through Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
