React2Shell Exploitation Leads to Increased Crypto Malware Threats

React2Shell continues to witness heavy exploitation, with threat actors leveraging the maximum-severity security flaw in React Server Components to deliver cryptocurrency miners and an array of previously undocumented malware families.

According to Huntress, attackers are targeting numerous organizations via CVE-2025-55182, a critical vulnerability that allows unauthenticated remote code execution. The cybersecurity company noted the first recorded exploitation attempt on a Windows endpoint occurred on December 4, 2025, involving a vulnerable instance of Next.js that dropped a shell script to deploy a cryptocurrency miner and a Linux backdoor.

The attackers are using automated exploitation tools, as suggested by identical vulnerability probes and shell code tests seen across multiple endpoints. Notable payloads include PeerBlight, a Linux backdoor, CowTunnel, a reverse proxy tunnel, and ZinFoq, a Go-based post-exploitation implant.

The vulnerabilities have predominantly affected sectors such as construction and entertainment. As of December 8, 2025, the Shadowserver Foundation detected over 165,000 IP addresses and 644,000 domains with vulnerable code, with more than 99,200 instances located in the U.S. alone.

Palo Alto Networks Unit 42 identified further activity linked to the Contagious Interview campaign delivering EtherRAT and noted that over 50 organizations across various sectors, including financial services and telecommunications, have been impacted.

The report emphasized the need for immediate updates for organizations relying on react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack due to the potential ease of exploitation.

As exploitation continues across the entire threat landscape, experts warn of a surge in attacks, from low-skill opportunistic abuse to more sophisticated intrusions, highlighting a concerning trend in crypto malware threats.