A newly discovered loophole in one of the web’s most used development tools is giving hackers a new way to drain cryptocurrency wallets.

Cybersecurity researchers have reported a surge in malicious code uploaded to legitimate websites through a vulnerability in the popular JavaScript library React, a tool used by countless crypto platforms for their front-end systems.

Crypto Drainer Attacks Surge via React Flaw

According to Security Alliance (SEAL), a nonprofit cybersecurity Cybersecurity Cybersecurity is a blanket term that refers to the protection of computer systems and networks from the theft.More broadly speaking, cybersecurity can also represent countermeasures against damage to hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.It was not long ago that the term cybersecurity not exist as it was first used in 1989. In today’s vernacular cybersecurity, refers to measures taken to protect a computer or computer Cybersecurity is a blanket term that refers to the protection of computer systems and networks from the theft.More broadly speaking, cybersecurity can also represent countermeasures against damage to hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.It was not long ago that the term cybersecurity not exist as it was first used in 1989. In today’s vernacular cybersecurity, refers to measures taken to protect a computer or computer Read this Term organization, criminals are actively exploiting a recently disclosed React vulnerability labeled CVE-2025-55182.

Crypto Drainers using React CVE-2025-55182

We are observing a big uptick in drainers uploaded to legitimate (crypto) websites through exploitation of the recent React CVE.

All websites should review front-end code for any suspicious assets NOW.

— Security Alliance (@_SEAL_Org) December 13, 2025

“We are observing a big uptick in drainers uploaded to legitimate crypto websites through exploitation of the recent React CVE,” SEAL stated on X (formerly Twitter). “All websites should review front-end code for any suspicious assets NOW.”

• HP CEO “Exposes” Ink Cartridge Vulnerability Triggering Legal Storm
• Exness Rewards Up to $10,000 in New Bug Bounty Program
• How to Increase Business Security Using a Honeypot

The flaw enables unauthenticated remote code execution, allowing attackers to secretly inject wallet-draining scripts into websites. The malicious code tricks users into approving fake transactions via deceptive pop-ups or reward prompts.

Read more: Hackers Exploit JavaScript Accounts in Massive Crypto Attack Reportedly Affecting 1B+ Downloads

SEAL cautioned that some compromised sites may be unexpectedly flagged as phishing Phishing Phishing is a form of cyber-attack in which fake websites, emails, and text messages are used to elicit personal data. The most common targets in this assault are passwords, private cryptocurrency keys, and credit card details.Phishers disguise themselves as reputable businesses and other types of entities. In certain instances, reputable government organizations or authorities are impersonated in order to collect this data.Because phishing relies on psychological manipulation rather than techno Phishing is a form of cyber-attack in which fake websites, emails, and text messages are used to elicit personal data. The most common targets in this assault are passwords, private cryptocurrency keys, and credit card details.Phishers disguise themselves as reputable businesses and other types of entities. In certain instances, reputable government organizations or authorities are impersonated in order to collect this data.Because phishing relies on psychological manipulation rather than techno Read this Term risks. The organization advised web administrators to conduct immediate security audits to catch any injected assets or obfuscated JavaScript.

“If your project is getting blocked, that may be the reason. Please review your code first before requesting phishing page warning removal. The attack is targeting not only Web3 protocols! All websites are at risk. Users should exercise caution when signing ANY permit signature.”

Scan host for CVE-2025-55182

Check if your FE code is suddenly loading assets from hosts you do not recognize

Check if any of the "Scripts" loaded by your FE code are obfuscated JavaScript

Inspect if the wallet is showing the correct recipient on the signature signing request

— Security Alliance (@_SEAL_Org) December 13, 2025

Phishing Flags and Hidden Drainers

The group warned that developers who find their projects mistakenly blocked as phishing pages should inspect their code first before appealing the warning.

In September, a major software supply-chain attack infiltrated JavaScript packages, raising the risk that cryptocurrency users could be exposed to theft.

The incident involved the compromise of a reputable developer’s account on the Node Package Manager platform, allowing attackers to distribute malicious code through packages that have been downloaded more than one billion times.

🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.

The malicious payload works…

— Charles Guillemet (@P3b7_) September 8, 2025

“There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised,” Guillemet explained. “The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.”