Hackers Exploit JavaScript Library to Deploy Crypto Wallet Drainers
Cybersecurity NGO Security Alliance (SEAL) cites a considerable surge in such attacks on reputable crypto sites, stressing that attackers are uploading harmful drainers through this exploit. These drainers trick people into approving fake transactions by mimicking real pop-ups or reward claims on reputable domains.
Details About The Vulnerability
Lachlan Davidson, a white-hat hacker, found a security hole in React's server-side modules, including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. This issue allows attackers to insert and execute malicious code without authentication, compromising front-end assets on vulnerable sites.
SEAL says the vulnerability extends beyond Web3 protocols, meaning other websites that use the compromised React components are at risk of similar drain attacks.
Attackers utilise this to host disguised JavaScript that requests wallet signatures, silently stealing funds from unwary users. Because the exploit is so easy to use, occurrences have risen quickly as hackers hunt for unpatched servers.
SEAL's Urgent Alerts
The SEAL Team saw a "big uptick in drainers uploaded to legitimate crypto websites through exploitation of the recent React CVE," and they instructed all sites to check their front-end code right away for any suspicious assets.
They stressed that "All websites should review front-end code for any suspicious assets NOW," and told users to be very careful about any permission signatures that appear out of nowhere.
According to SEAL's extensive instructions, websites that suddenly get marked as phishing without a clear cause should scan for CVE-2025-55182, look for unrecognised asset hosts and obfuscated JavaScript, and ensure that the signature recipients are who they claim to be. This proactive approach tries to stop the spread of these risks before more people become victims.
What React Did and How It Fixed It
React developers patched CVE-2025-55182 on December 3 and strongly encourage immediate upgrades for all vulnerable modules to prevent further exploitation. The company made it clear that "If your app's React code doesn't use a server, this vulnerability doesn't affect your app."
If your app does not employ a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.” This quick patch fixes the main remote code execution issue, but people need to stay alert, as attackers are still targeting unpatched systems.
The incident shows how important it is to fix problems in the fast-changing world of web development quickly.