"At least five more Chinese spy crews, Iran-linked goons, and financially motivated criminals are now attacking the React2Shell, a maximum-severity flaw in the widely used React JavaScript library, according to Google. Unauthenticated attackers can abuse the flaw, tracked as CVE-2025-55182, to remotely execute code, and the Chocolate Factory's threat hunters said multiple groups are using this vulnerability to deploy backdoors, tunnelers, and cryptocurrency miners. React maintainers disclosed the critical bug on December 3, and exploitation began almost immediately."
"According to Amazon's threat intel team, Chinese government crews, including Earth Lamia and Jackpot Panda, started battering the security hole within hours of its disclosure. Palo Alto Networks' Unit 42 responders have put the victim count at more than 50 organizations across multiple sectors, with attackers from North Korea also abusing the flaw."
"Google, in a late Friday report, said at least five other suspected PRC spy groups also exploited React2Shell, along with criminals who deployed XMRig for illicit cryptocurrency mining, and "Iran-nexus actors," although the report doesn't provide any additional details about who the Iran-linked groups are and what they are doing after exploitation. "GTIG has also observed numerous discussions regarding CVE-2025-55182 in underground forums, including threads in which threat actors have shared links to scanning tools, proof-of-concept (PoC) code, and their experiences using these tools," the researchers wrote."
React2Shell (CVE-2025-55182) is a maximum-severity unauthenticated remote code execution vulnerability in the React JavaScript library that allows attackers to run arbitrary code. Exploitation started immediately after maintainers disclosed the flaw on December 3, with multiple clusters rapidly weaponizing the bug. Observed operators include Chinese state-linked crews (Earth Lamia, Jackpot Panda, UNC6600, UNC6586), North Korean actors, Iran-linked groups, and financially motivated criminals. Attackers have deployed backdoors such as Snowlight, tunnelers like Minocat, and XMRig miners. Security teams reported underground sharing of PoC code and scanning tools, and Unit 42 recorded over 50 victim organizations across sectors.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]