Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A security vulnerability affecting components of the React Server Components library led to urgent warnings across the crypto industry, after attackers exploited them to compromise a digital wallet and spread malware.
A loser Announce it The Security Alliance says attackers are exploiting a vulnerability CVE-2025-55182 In earnest, he urged all website users to check the front-end numbers of any suspicious software.
In addition, it seems that this threat is not limited to Web3 protocols, but also extends to all websites that use the React library, where attackers look for authorization signatures on different platforms, exposing users to the risk of signing anything, since the malware interferes with the connection of the digital wallet and transfers the bank accounts to the wallet addresses of the attackers.
A serious vulnerability that allows for the storage of malicious remote code
The CVE-2025-55182 vulnerability was disclosed by the official React team on December 3, and was classified as CVSS 10.0 following Lachlan Davidson’s November 29 Meta Bug Bounty report.
This vulnerability, which allows the execution of malicious remote code without authentication, uses React’s decryption method of data sent to the backend server, enabling the attacker to make malicious HTTP requests to modify the code on the server.
It is worth noting that this vulnerability affected versions of React 19.0, 19.1.0, 19.1.1, and 19.2.0 in the react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack packages.
Therefore, major web frameworks including Next.js, React Router, Waku, and Expo required immediate updates after updates became available in versions 19.0.1, 19.1.2, and 19.2.1, requiring Next.js users to update all versions 14.2.35 to 16.0.10.
Unfortunately, it was lost Search Researchers also found other security issues.
This led Vercel to set up its own firewall rules to protect the projects on its platform, although it insisted that the firewall itself was not considered sufficient.
andI explained Vercel, in his security report released on December 3, said: “A quick migration to the updated version is essential“, adding that the vulnerability affects software that uses untrusted operating systems in ways that allow malicious code to be executed remotely.
Multiple threat groups carry out coordinated attacks
Document Google’s threat intelligence team went on a rampage on December 3, identifying terrorist groups ranging from opportunistic hackers to state-sponsored groups. Chinese hacking groups have installed various types of malware on compromised systems, particularly targeting cloud servers at Amazon Web Services and Alibaba Cloud.
The attackers used advanced techniques to gain access to the targeted system. Some groups installed software that created remote secret tunnels, while other groups deployed software that regularly downloaded malicious software disguised as encrypted files. Malware hides in system folders and reboots to avoid detection.
On the other hand, several groups disguised their malware as regular software, or used legitimate cloud services such as Cloudflare and GitLab to hide their communications.
Financial criminals also joined the wave attack on December 5, setting up cryptocurrency mining software that secretly uses the computer processing power of the victim’s machine to mine Monero (Monero-XMR) scales; These groups began to run these hidden mining programs all the time underground, which increased the cost of electricity for the victims and brought profits to the attackers, and the hacking forum was quickly filled with discussions about tools to attack and cyber hacking attempts.
The history of supply chain attacks continues
The security vulnerability for React comes after the attacks that happened on September 8, when hackers broke into the npm account of the well-known source manager, Josh Goldberg, and spread malicious changes to 18 widely used packages, mainly chalk, debug, and strip-ansi packages. The number of downloads of these devices together reaches more than 2.6 billion times per week.
Researchers also discovered a malicious program called crypto-clipper that disables web browser services to replace real crypto wallet addresses with hackers’ addresses.
For his part, Charles Guillemet, Ledger’s chief technology officer, describes the incident as “Massive attacks on supply chains“, advising users who do not have hardware wallets to avoid trading on the blockchain.
Criminals reportedly gained access to victims through phishing campaigns posing as npm support, claiming that accounts would be locked unless 2FA credentials were changed by September 10.
Hackers are stealing more cryptocurrencies and moving faster. One washing process took only 2 minutes 57 seconds. Can the industry cope?# CryptoSecurity #Web3 #Blockchain #DeFihttps://t.co/lGwutYsT6Q
– Cryptonews.com (@cryptonews) August 12, 2025
The Global Ledger system shows that criminals stole more than $3 billion in digital assets through 119 frauds in the first half of 2025, where 70% of the stolen money was transferred before the breach was detected, while only 4.2% of the stolen goods were returned after the counterfeit currency instead of worship hours took seconds.
Meanwhile, organizations that use versions of React or Next.js are advised to update their systems immediately to 19.0.1, 19.1.2, or 19.2.1, implement Web Application Firewall (WAF) rules, review all dependencies, monitor the number of wget or cURL commands executed by web servers, and search for malicious systems hidden in hidden systems.
A note Official hacking of the JavaScript library puts all crypto websites at risk appeared for the first time Cryptonews Arabic.
