There has been a recent uptick in crypto drainers being uploaded to websites through a vulnerability in the open-source front-end JavaScript library React, according to cybersecurity nonprofit Security Alliance (SEAL).
React is used for building user interfaces, especially in web applications. The React team disclosed on Dec. 3 that a white hat hacker, Lachlan Davidson, found a security vulnerability in its software that allowed unauthenticated remote code execution, which can allow an attacker to insert and run their own code.
According to SEAL, bad actors have been using the vulnerability, CVE-2025-55182, to secretly add wallet-draining code to crypto websites.
“We are observing a big uptick in drainers uploaded to legitimate crypto websites through exploitation of the recent React CVE. All websites should review front-end code for any suspicious assets NOW,” the SEAL Team said.
“The attack is targeting not only Web3 protocols! All websites are at risk. Users should exercise caution when signing ANY permit signature.”
Wallet drainers typically dupe users into signing a transaction through methods such as a sham pop-up offering rewards or similar tactics.
Websites with phishing warning should check code
Affected websites may have been suddenly flagged as a possible phishing risk without explanation, according to the SEAL Team. They recommend website hosts take precautions to ensure there are no hidden drainers that could put users at risk.
“Scan host for CVE-2025-55182. Check if your front-end code is suddenly loading assets from hosts you do not recognize. Check if any of the scripts loaded by your front end code are obfuscated JavaScript. Inspect if the wallet is showing the correct recipient on the signature signing request,” they said.
Related: North Korean ‘fake Zoom’ crypto hacks now a daily threat: SEAL
“If your project is getting blocked, that may be the reason. Please review your code first before requesting phishing page warning removal,” the SEAL Team added.
React has released a fix for the vulnerability
The React team published a fix for CVE-2025-55182 on Dec. 3 and advises anyone using the react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack, to upgrade immediately and close the vulnerability.
“If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability,” the team added.
Magazine: Meet the onchain crypto detectives fighting crime better than the cops
