A remote code execution flaw (CVE-2025-55182, "React2Shell") in React Server Components (React 19.0–19.2.0 and related packages) is being actively exploited against thousands of unpatched React/Next.js sites. Attackers can run arbitrary commands on servers to deploy malware, backdoors and Monero (XMR) miners, and inject malicious front-end scripts that can intercept or redirect wallet interactions on crypto platforms. Google Threat Intelligence Group reports multiple financially motivated and suspected state-backed campaigns; site operators are urged to patch immediately.

GTIG reports active exploitation of a React Server Components RCE (CVE-2025-55182) affecting thousands of unpatched sites; the flaw allows arbitrary command execution, deployment of malware/backdoors and Monero miners, and injection of front-end scripts that can intercept or redirect wallet interactions — facts that increase theft/malware risk and can move markets for affected crypto services and XMR.