North Korean-linked threat actors are reportedly exploiting a critical security flaw in React Server Components (RSC), known as React2Shell, to deploy a new remote access trojan named EtherRAT. This sophisticated malware, detailed in a recent report, leverages Ethereum smart contracts for command and control and employs multiple persistence mechanisms on Linux systems.
Sysdig, a cloud security firm, identified the connection between this new campaign and a prolonged operation codenamed Contagious Interview. This operation has a history of distributing malware, particularly since February 2025, using a technique called EtherHiding. The Contagious Interview campaign specifically targets individuals within the blockchain and Web3 development communities through deceptive job interview processes.
EtherRAT: A New Threat Emerges
EtherRAT’s discovery highlights a significant evolution in threat actor tactics within the npm ecosystem. According to software supply chain security company Socket, these actors demonstrate a remarkable ability to adapt to JavaScript and cryptocurrency-centric workflows. The attack chain begins with the exploitation of CVE-2025-55182, a critical vulnerability in RSC with a CVSS score of 10.0. This initial exploit allows for the execution of a Base64-encoded shell command responsible for downloading and running a shell script.
This shell script is designed to prepare the target environment by downloading Node.js version 20.10.0 from nodejs.org. It then writes an encrypted blob and an obfuscated JavaScript dropper to disk before deleting itself to reduce forensic traces. The primary function of the dropper is to decrypt the EtherRAT payload using a hard-coded key and execute it via the downloaded Node.js binary.
The EtherRAT malware’s command and control (C2) infrastructure is particularly noteworthy for its use of EtherHiding. This technique allows the malware to retrieve its C2 server URL from an Ethereum smart contract every five minutes. Sysdig reports that this particular implementation is unique in its use of consensus voting across nine public Ethereum remote procedure call (RPC) endpoints. By querying multiple endpoints and selecting the majority response, the operators create a more resilient C2 system, making it difficult for security researchers to disrupt by operating a single rogue RPC node.
This EtherHiding implementation is not entirely new; a similar method was previously observed in two npm packages, colortoolsv2 and mimelib2, which also distributed downloader malware to developers. Once EtherRAT establishes contact with its C2 server, it enters a polling loop that executes every 500 milliseconds. Any response exceeding 10 characters is interpreted as JavaScript code to be executed on the infected machine.
Persistence is achieved through five independent Linux mechanisms: systemd user service, XDG autostart entry, cron jobs, .bashrc injection, and profile injection. This multi-pronged approach ensures that the malware can maintain access even after a system reboot. Furthermore, EtherRAT possesses a self-update capability, allowing it to replace its existing code with new versions received from the C2 server. This new version, while functionally identical, is often obfuscated differently, a tactic potentially aimed at evading static signature-based detection methods.
The links to the Contagious Interview campaign extend beyond the EtherHiding technique. Overlaps have been identified between the encrypted loader pattern used in EtherRAT and a known JavaScript information stealer and downloader called BeaverTail. EtherRAT represents a shift in the exploitation of React2Shell, moving beyond opportunistic cryptomining and credential theft towards stealthy, persistent access for long-term operations.
Contagious Interview Adapts Attack Vectors
In parallel with the EtherRAT discovery, OpenSourceMalware has detailed a new variant of the Contagious Interview campaign that targets developers through their integrated development environments. This latest iteration directs victims to clone a malicious repository from platforms like GitHub, GitLab, or Bitbucket as part of a purported programming assignment. The objective is to have the project opened in Microsoft Visual Studio Code (VS Code).
Once opened, a tasks.json file within the VS Code project, configured with “runOptions.runOn: ‘folderOpen’,” automatically executes. This initial script uses curl or wget, depending on the operating system, to download a loader script. On Linux systems, this script fetches further shell scripts that ultimately download additional files, including “package.json” and “env-setup.js.” The “env-setup.js” file then acts as a launchpad for the BeaverTail and InvisibleFerret malware.
OpenSourceMalware has identified 13 distinct versions of this VS Code-focused campaign, spread across 27 GitHub users, with repositories dating back to April 22, 2025. The shift in infrastructure also indicates a move by DPRK threat actors towards Vercel for hosting their operations, largely abandoning previous providers like Fly.io, Platform.sh, and Render.
The emergence of EtherRAT combined with the evolving tactics of Contagious Interview presents defenders with a challenging new implant that resists traditional detection and takedown methods. The continued adaptation and sophistication of these North Korean-linked threat groups necessitate a vigilant approach to cybersecurity, particularly within the widely used JavaScript and blockchain development communities.
The Hacker News editorial team covers the latest in cybersecurity, data breaches, privacy risks, and digital defense. Our newsroom delivers verified updates and in-depth analysis to keep professionals and readers informed on global cyber threats.