Security group SEAL warns of a wave of wallet “drainers” being slipped onto crypto sites by exploiting a recently disclosed React vulnerability. What happened - On Dec. 3 the React team published a patch after white-hat researcher Lachlan Davidson disclosed an unauthenticated remote code execution flaw (CVE-2025-55182) that could let attackers inject and run arbitrary front-end code. - Cybersecurity nonprofit Security Alliance (SEAL) says threat actors have been using that hole to quietly add wallet-draining scripts to legitimate crypto websites — prompting a “big uptick” in malicious payloads being uploaded to compromised sites. How the attacks work - Injected scripts present fake pop-ups or reward prompts that trick users into signing transactions. Once a user signs, funds are transferred to attacker-controlled addresses. - SEAL also reports affected sites may suddenly be flagged as phishing pages, which can block legitimate projects until the issue is resolved. Immediate steps for site operators (SEAL’s advice) - Patch now: upgrade React packages tied to React Server Components — specifically react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack — to the fixed versions released Dec. 3. - Scan hosts for indicators of CVE-2025-55182 exploitation and for unfamiliar assets being loaded by your front end. - Look for obfuscated JavaScript, unknown CDNs or hosts, and scripts injected into page builds or served assets. - Verify signature prompts display the correct recipient address before asking users to sign any transaction. - If your project is blocked as a phishing page, review and clean your front-end code before requesting a warning removal. Who is and isn’t affected - Apps that use React Server Components or the affected bundler plugins need to patch. If your React code does not use a server, or you don’t use a bundler/plugin that supports React Server Components, you’re likely not affected. Quick tips for users - Don’t sign unexpected pop-ups or approve unfamiliar transactions. - When a wallet prompts for a signature, always confirm the recipient address and transaction details. - Use hardware wallets and browser wallet protections where possible. Why this matters for crypto Front-end compromises are a high-risk vector for on-chain theft because they exploit legitimate sites users trust. The combination of a high-impact RCE in a widely used library plus automated injection campaigns can lead to rapid, large-scale losses if not addressed quickly. Stay safe: site operators should prioritize the React patch and a thorough front-end audit; users should be vigilant about signing requests and verify recipient addresses. Read more AI-generated news on: undefined/news
SEAL Warns: React RCE Lets Attackers Inject Wallet-Drainers Into Crypto Sites
Disclaimer: Includes third-party opinions. No financial advice. May include sponsored content. See T&Cs.
