- React2Shell (CVE-2025-55182) critical flaw exploited by Chinese and North Korean groups
- North Korea deploys EtherRAT implant with Ethereum C2, Linux persistence and Node.js runtime
- Researchers call for urgent updates to patched React versions 19.0.1, 19.1.2 and 19.2.1
The Chinese are not the only ones exploiting React2Shell, a maximum severity vulnerability recently discovered in React Server Components (RSC).
Reports are coming in detailing North Korean state-sponsored threat actors doing the same. The only difference is that the North Koreans are using this flaw to deploy new malware with a persistence mechanism.
Late last week, the React team released a security advisory detailing a pre-authentication bug in multiple versions of multiple packages, affecting RCS. Affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0, react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. The bug, now named “React2Shell,” is tracked as CVE-2025-55182 and receives a severity score of 10/10 (critical).
More sophisticated attacks
Since React is one of the most popular JavaScript libraries and powers much of today’s Internet, researchers warned that its exploitation was imminent, urging everyone to apply the patch without delay and update their systems to versions 19.0.1, 19.1.2, and 19.2.1.
Days later, researchers reported seeing China-linked groups Earth Lamia and Jackpot Panda using the bug to target organizations in different industries, and Sysdig came back with similar results.
This security team found a new implant originating from a compromised Next.js application called EtherRAT. Compared to what Earth Lamia and Jackpot Panda were doing, EtherRAT is “much more sophisticated”, representing a persistent access implant that combines techniques from at least three documented campaigns.
“EtherRAT leverages Ethereum smart contracts for command and control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org,” the researchers explained. “This combination of capabilities has never been seen before in leveraging React2Shell.”
Apparently there’s quite a bit here that resembles Contagious Interview, an infamous North Korean hacking campaign that involves inviting high-value targets to fake job interviews, during which various information stealers are deployed.
Via Hacker news
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
