Hackers Exploit JavaScript Library to Target Crypto Wallets

Attackers are injecting malicious code onto live websites using a severe React Server Components bug to steal crypto from wallets.

Reports say the React team disclosed CVE-2025-55182 on December 3 with a maximum severity rating.

Security Alliance (SEAL) says various crypto websites are being attacked and advises operators to verify all React Server Components immediately to prevent wallet-draining attacks.

Security teams claim the weakness allows an unauthenticated attacker to run code on compromised servers, which has led to wallet-draining campaigns on multiple sites.

Wide Risk to Server-Component Sites

After disclosure, SEAL released patched versions 19.0.1, 19.1.2, and 19.2.1 for React Server Components versions 19.0 through 19.2.0.

Unsafe deserialization in the Flight protocol allows a single crafted HTTP request to execute arbitrary code with web server capabilities. Many sites with default configurations are at risk until they change, say security teams.

They inject wallet-draining scripts into compromised pages.
Threat actors are utilizing the attack to plant scripts that trigger Web3 wallet connections and hijack or redirect transactions, according to industry blogs.

Injection code might change the user interface or swap addresses, making a user think they're sending money to one account while actually paying an attacker. Users who connect wallets without approval on trusted crypto sites may be affected.

Scanners and POCs flooded underground forums.
Security researchers claim a rush of scanning tools, false proof-of-concept code, and exploit kits in underground forums after the vulnerability was exposed.

Cloud and threat-intelligence teams have seen numerous organizations scanning for weak servers and testing payloads, accelerating active exploitation.

Some defenders believe scanning speed and volume make it hard to halt all attempts before fixes.