Within days of the disclosure of the critical React2Shell (CVE-2025-55182) vulnerability, threat hunters from Sysdig have observed active exploitation against Next.js applications to deploy a new Linux-focused malware family dubbed EtherRAT. The malware abuses Ethereum smart contracts as a command-and-control (C2) layer and implements several persistence mechanisms, turning vulnerable React Server Components into an attractive entry point for long‑term compromise.
Critical React2Shell vulnerability in React Server Components and Next.js
React2Shell is a remote code execution (RCE) vulnerability affecting React Server Components (RSC). It has been assigned the maximum CVSS score of 10.0, mainly due to its ease of exploitation and broad impact. The root cause is unsafe deserialization of untrusted data on the server side.
An attacker only needs to send a crafted unauthenticated HTTP request to trigger arbitrary code execution on the server, without any valid session or elevated privileges. This makes internet-exposed React and Next.js applications particularly high-risk.
The flaw affects default configurations of recent React releases 19.0, 19.1.0, 19.1.1 and 19.2.0, as well as applications built on Next.js. Patches are available in React 19.0.1, 19.1.2, 19.2.1 and corresponding Next.js versions, but a significant number of internet-facing deployments remain unpatched.
According to Sysdig, the vulnerability is already being exploited by at least two China‑linked groups, Earth Lamia and Jackpot Panda, with confirmed impact on more than 30 organizations. Researchers also warn that other React Server implementations may be similarly exposed, including Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodSDK and Waku.
Attack chain: from a single HTTP request to a hidden Node.js environment
The observed attack chain starts with React2Shell exploitation, which forces the server to run a base64‑encoded shell command. This command repeatedly tries, every 300 seconds, to download a script named s.sh using curl, wget or python3 until it succeeds. Once fetched, the script is made executable and launched.
The s.sh script creates a hidden directory under $HOME/.local/share/ and downloads a legitimate Node.js 20.10.0 binary directly from nodejs.org. Into that same directory the attackers drop an encrypted payload and an obfuscated JavaScript loader. The loader is then executed using the freshly installed Node.js runtime.
After launching the loader, s.sh deletes itself to reduce forensic traces. The JavaScript dropper decrypts the embedded blob using a hard-coded AES‑256‑CBC key, writes the decrypted content to another hidden JS file, and executes it via Node.js. This final component is EtherRAT, a fully featured Node.js-based malware tailored for Linux environments.
EtherRAT: Ethereum smart contracts as resilient C2 infrastructure
What sets EtherRAT apart is its use of Ethereum smart contracts as a C2 channel. Instead of relying on a single C2 server or hard‑coded IPs, EtherRAT concurrently queries nine public Ethereum RPC providers and adopts the response returned by the majority. This design makes takedown operations significantly harder, as defenders cannot simply sinkhole a single node or endpoint.
Every 500 milliseconds, EtherRAT generates randomized URLs that mimic legitimate CDN-style domains, reaches out to its control infrastructure, and executes the JavaScript it receives using AsyncFunction. In practice, this gives attackers a live interactive Node.js shell on the compromised host, enabling them to change functionality on the fly without writing new files to disk.
Researchers note that this approach follows the broader trend known as EtherHiding, where attackers hide malicious logic and configuration data in blockchain infrastructure. Google and GuardioLabs have previously documented similar techniques. Sysdig also reports that EtherRAT’s encrypted loader closely resembles the BeaverTail malware used in the Contagious Interview campaign, suggesting a possible link to the North Korea–associated Lazarus Group.
Multi-layer persistence and self-updating Node.js malware
On Linux systems, EtherRAT implements five parallel persistence mechanisms, according to Sysdig’s analysis. While the report does not disclose each method in full detail, they span typical autostart locations and scheduled execution points, ensuring that the malware survives reboots, routine maintenance and partial cleanups. Removing a single process or file is rarely sufficient; defenders must identify and eradicate every persistence hook.
Another notable capability is EtherRAT’s self‑modifying code. The malware periodically uploads its own source code to a dedicated API endpoint and receives a functionally equivalent but differently obfuscated version in return. It then overwrites its existing code and spawns a new process. This continuous regeneration undermines static signature-based detection, complicates malware analysis and allows rapid feature evolution for specific campaigns.
Priority mitigation steps for React and Next.js environments
Organizations running React Server Components, Next.js and other server-side React frameworks, especially in Linux and cloud-native environments, should assume elevated exposure to React2Shell‑driven attacks and EtherRAT deployments. The following measures are recommended as a priority:
1. Patch vulnerable React and Next.js deployments. Upgrade React to 19.0.1, 19.1.2 or 19.2.1 and apply the latest Next.js releases that address CVE‑2025‑55182. Review other RSC-related libraries (Vite, Parcel, React Router RSC preview, RedwoodSDK, Waku) for unsafe deserialization and apply vendor guidance.
2. Hunt for EtherRAT artifacts on Linux hosts. Scan for hidden directories under $HOME/.local/share/, unexpected Node.js installations, the presence of s.sh, and unusual node processes running under application or service accounts.
3. Audit persistence and startup mechanisms. Review systemd units, cron jobs, user-level autostart entries and other autoload locations for suspicious scripts or Node.js commands. Correlate findings with indicators of compromise (IoCs) published by Sysdig and other vendors.
4. Monitor and control Ethereum RPC traffic. Where operationally feasible, restrict outbound connections to public Ethereum RPC providers from application servers. Implement network monitoring for atypical blockchain-related traffic patterns and rotate access keys and tokens regularly to limit post‑exploitation impact.
React2Shell and EtherRAT demonstrate how quickly critical web framework vulnerabilities can be turned into advanced, blockchain‑enabled intrusion campaigns. Organizations that combine secure development practices, aggressive vulnerability management and continuous behavioral monitoring will be significantly better positioned to detect, contain and eradicate such multi‑stage attacks before they lead to long‑term compromise of critical systems.
