- React2Shell (CVE-2025-55182) critical flaw exploited by Chinese and North Korean groups
- North Korea deploys EtherRAT implant with Ethereum C2, Linux persistence and Node.js runtime
- Researchers urge prompt updates to patched React versions 19.0.1, 19.1.2 and 19.2.1
The Chinese are not the only ones exploiting React2Shell, a maximum severity vulnerability recently discovered in React Server Components (RSC).
Reports are coming in detailing North Korean state-sponsored threat actors doing the same. The only difference is that the North Koreans are using the flaw to implement a new persistence mechanism, malware.
Late last week, the React team published a security advisory detailing a pre-authentication bug in multiple versions of multiple packages that affects RCS. The affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0, react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. The bug, now dubbed ‘React2Shell’, is tracked as CVE-2025-55182 and given a severity score of 10/10 (Critical).
More sophisticated attacks
Since React is one of the most popular JavaScript libraries out there and powers much of today’s Internet, researchers warned that exploitation was imminent and urged everyone to apply the patch without delay and update their systems to version 19.0.1, 19.1.2 and 19.2.1.
Just days later, researchers reported seeing China-linked groups Earth Lamia and Jackpot Panda use the flaw to target organizations in various verticals, and Sysdig came back with similar findings.
This security tool found a new implant from a compromised Next.js application called EtherRAT. Compared to what Earth Lamia and Jackpot Panda did, EtherRAT is “far more sophisticated,” representing a persistent access implant that combines the techniques of at least three documented campaigns.
“EtherRAT leverages Ethereum’s smart contracts for command-and-control (C2) resolution, implements five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org,” the researchers explained. “This combination of capabilities has not previously been observed in a React2Shell exploit.”
Allegedly, there are quite a few things here that resemble Contagious Interview, an infamous North Korean hacking campaign that involves inviting high-value targets to fake job interviews where various infostealers are deployed.
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
