React2Shell exploitation campaign delivering EtherRAT
Campaign
Summary
Hide ▲
Show ▼
The React2Shell exploitation campaign now goes beyond initial access, with attackers dropping EtherRAT and other post-exploit tooling to keep long-term access. The activity follows public disclosure of CVE-2025-55182 and targets React Server Components and related frameworks. Some of the observed tradecraft overlaps with North Korean-linked tooling, while other attempts deploy miners or credential harvesters. The mix of payloads shows an active, multi-actor abuse of a critical RCE flaw.
Cases
Related Happenings
Godzilla (BLUEBEAM) web shell and Cobalt Strike deployment via KnowledgeDeliver exploitation
Malware Activity
First: 26.05.2026 08:19
Last: 26.05.2026 08:19
Sources 1
About this happening:
The **Godzilla (BLUEBEAM)** web shell is now being used after **CVE-2026-5426** exploitation to run commands and stage **Cobalt Strike Beacon**, giving attackers a durable foothol...
Godzilla (BLUEBEAM) web shell and Cobalt Strike deployment via KnowledgeDeliver exploitation
Malware ActivityAbout this happening: The **Godzilla (BLUEBEAM)** web shell is now being used after **CVE-2026-5426** exploitation to run commands and stage **Cobalt Strike Beacon**, giving attackers a durable foothol...
Famous Chollima PromptMink supply-chain campaign targeting Web3 developers
Campaign
First: 29.04.2026 17:43
Last: 29.04.2026 17:43
Sources 1
About this happening:
The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....
Famous Chollima PromptMink supply-chain campaign targeting Web3 developers
CampaignAbout this happening: The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....
UNC1069 Axios npm supply-chain campaign targeting build pipelines
Campaign
First: 01.04.2026 10:44
Last: 01.04.2026 10:44
Sources 1
About this happening:
The **Axios npm supply-chain compromise** has been tied to **UNC1069**, putting **npm consumers** and downstream **build pipelines** at risk from trojanized releases. Attackers se...
UNC1069 Axios npm supply-chain campaign targeting build pipelines
CampaignAbout this happening: The **Axios npm supply-chain compromise** has been tied to **UNC1069**, putting **npm consumers** and downstream **build pipelines** at risk from trojanized releases. Attackers se...
Latest development: 13.04.2026 20:39
OpenAI is revoking and rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed a compromised Axios package version 1.14.1 during a March 31, 2026 supply-chain attack. The workflow had access to certificates used to sign ChatGPT Desktop, Codex, Codex CLI, and Atlas, and OpenAI says it found no evidence that user data, systems, intellectual property, or the signing certificate were compromised.
EtherRAT Node.js backdoor with Ethereum smart-contract C2
Malware Activity
First: 26.03.2026 17:00
Last: 26.03.2026 17:00
Sources 1
About this happening:
The **EtherRAT** malware activity centers on a **Node.js-based backdoor** that uses **Ethereum smart contracts** to hide and rotate C2 infrastructure. In a **React2Shell** attack,...
EtherRAT Node.js backdoor with Ethereum smart-contract C2
Malware ActivityAbout this happening: The **EtherRAT** malware activity centers on a **Node.js-based backdoor** that uses **Ethereum smart contracts** to hide and rotate C2 infrastructure. In a **React2Shell** attack,...
GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX
Malware Activity
First: 17.03.2026 23:42
Last: 17.03.2026 23:42
Sources 1
About this happening:
**GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...
GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX
Malware ActivityAbout this happening: **GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...
Latest development: 28.04.2026 00:41
GlassWorm returned in an OpenVSX supply-chain wave with 73 cloned sleeper extensions that were benign at upload and later turned malicious after an update, with six already activated to deliver malware. The extensions act as thin loaders that fetch payloads through GitHub-hosted secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript, shifting the campaign toward submitting innocuous extensions first and introducing the malicious payload later.
Timeline
-
08.12.2025 02:00 2 articles · 5mo ago
Sysdig analysis links EtherRAT campaigns to North Korean tooling
Technical Analysis UpdateSysdig Threat Research Team identifies a novel implant from a compromised Next.js application that delivers EtherRAT, a remote access trojan that uses Ethereum smart contracts for C2, deploys five Linux persistence mechanisms, downloads Node.js from nodejs.org, and shows overlap with Contagious Interview, BeaverTail and UNC5342.
Show sources
- React2Shell Exploit Campaigns Tied to North Korean Cyber Intrusion Tactics — www.infosecurity-magazine.com — 09.12.2025 19:15
- North Korea-linked Actors Exploit React2Shell to Deploy New EtherRAT Malware — thehackernews.com — 09.12.2025 20:25
-
03.12.2025 02:00 1 articles · 5mo ago
December 3 disclosure of CVE-2025-55182 in React Server Components
Initial DisclosurePublic disclosure identifies CVE-2025-55182 as a maximum-severity remote code execution vulnerability in React Server Components that affects React version 19 and related frameworks including Next.js, Waku, React Router and RedwoodSDK.
Show sources
- React2Shell Exploit Campaigns Tied to North Korean Cyber Intrusion Tactics — www.infosecurity-magazine.com — 09.12.2025 19:15