Recent attacks exploiting the React2Shell vulnerability (CVE-2025-55182) appear to be conducted by North Korean threat actors, targeting open-source frameworks like React and Next.js. These exploits involve sophisticated malware such as EtherRAT and are linked to campaigns stealing cryptocurrency and deploying persistent implants. #React2Shell #NorthKorea #EtherRAT #ContagiousInterview
Keypoints
- The React2Shell vulnerability (CVE-2025-55182) impacts React and related frameworks like Next.js.
- Exploitation involves sophisticated malware such as EtherRAT, leveraging Ethereum smart contracts for C2 communication.
- North Korean threat actors, possibly Lazarus, are linked to these attacks aimed at cryptocurrency theft and malware deployment.
- Approximately 70,000 systems have been identified as vulnerable, with initial exploitation by China-linked groups.
- The attacks include use of encrypted loaders and a shift to downloading Node.js directly from the official source to evade detection.
Read More: https://www.securityweek.com/react2shell-attacks-linked-to-north-korean-hackers/