Major Javascript Library Breach Puts All Crypto Websites At Risk

What Happened

A critical security flaw in React Server Components has prompted urgent warnings across the crypto industry, as threat actors are rapidly exploiting it to drain wallets and deploy malware.

Security Alliance announced that crypto-drainers are actively weaponizing CVE-2025-55182, urging all websites to review their front-end code immediately for suspicious assets.

The unauthenticated remote code execution vulnerability exploits how React decodes payloads sent to Server Function endpoints, allowing attackers to craft malicious HTTP requests that execute arbitrary code on servers.

Major frameworks, including Next.js, React Router, Waku, and Expo, require immediate updates. Patches arrived in versions 19.0.1, 19.1.2, and 19.2.1, with Next.js users needing upgrades across multiple release lines from 14.2.35 through 16.0.10.

“Immediate upgrades to a patched version are required,” Vercel stated in its December 3 security bulletin, adding that the vulnerability affects applications that process untrusted input in ways that permit remote code execution.

Multiple Threat Groups Launch Coordinated Attacks

Google Threat Intelligence Group documented widespread attacks beginning on December 3, tracking criminal groups ranging from opportunistic hackers to government-backed operations.

Chinese hacking groups installed various malware types on compromised systems, primarily targeting cloud servers on Amazon Web Services and Alibaba Cloud.

Some groups installed software creating secret tunnels for remote control, while others deployed programs that continuously download additional malicious tools disguised as legitimate files. The malware hides in system folders and automatically restarts to avoid detection.

These miners run constantly in the background, driving up electricity costs while generating profits for attackers. Underground hacking forums quickly filled with discussions sharing attack tools and exploitation experiences.

The React vulnerability follows a September 8 attack in which hackers compromised Josh Goldberg’s npm account and published malicious updates to 18 widely used packages, including chalk, debug, and strip-ansi.

Market Context

The vulnerability affects not only Web3 protocols but all websites using React, with attackers targeting permit signatures across platforms.

Critical Flaw Enables Remote Code Execution

Why It Matters

Users face immediate risk when signing any transaction, as malicious code intercepts wallet communications and redirects funds to attacker-controlled addresses.

The flaw impacts React versions 19.0, 19.1.0, 19.1.1, and 19.2.0 across react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack packages.

Details

React’s official team disclosed CVE-2025-55182 on December 3, rating it CVSS 10.0 following Lachlan Davidson’s November 29 report through Meta Bug Bounty.

Unfortunately, the researchers have again detected two major new flaws.

Vercel deployed Web Application Firewall rules to automatically protect projects on its platform, though the company emphasized that WAF protection alone remains insufficient.

These attackers employed sophisticated techniques to maintain long-term access to victim systems.

Several groups disguised malicious software as common programs or used legitimate cloud services, such as Cloudflare Pages and GitLab, to hide their communications.

Financially motivated criminals joined the attack wave starting on December 5, installing crypto-mining software that secretly uses victims’ computing power to generate Monero.

Historic Supply Chain Attack Pattern Continues

These utilities collectively account for over 2.6 billion weekly downloads, and researchers have discovered crypto-clipper malware that intercepts browser functions to swap legitimate wallet addresses with attacker-controlled ones.

Ledger CTO Charles Guillemet described that incident as a “large-scale supply chain attack,” advising users without hardware wallets to avoid on-chain transactions.