Critical React Bug Enables Token Drain Across Thousands of Websites
Security researchers warned on Dec. 16, 2025 that a critical bug in React is being actively abused to inject malicious code into thousands of websites. Attackers use the flaw to deploy crypto-mining tools and broader malware that can hijack server resources and insert scripts into pages that handle cryptocurrency transactions, creating a pathway to intercept wallet activity and siphon tokens.
The issue matters for both developers and crypto users because compromised front-ends can bypass conventional backend controls and target client-side wallets and browser extensions. Site operators should prioritize applying vendor patches, auditing third-party dependencies and scripts, and enforcing strict content-security policies. Crypto users should double-check transaction flows, consider using hardware wallets, and monitor account activity while affected services patch the vulnerability.