Baddies are exploiting a critical bug in React Native's Metro development server to deliver malware to both Windows and Linux machines, and yet the in-the-wild attacks still haven't received the "broad public acknowledgement" that they should, according to security researchers.
The vulnerability affects the React Native Community command line tool, a very popular npm package with nearly 2.5 million weekly downloads. React Native is a development tool created by Meta that allows users to build mobile applications for iOS and Android using JavaScript and React.
The flaw, tracked as CVE-2025-11953, arises because the Metro development server started by the React Native Community command line tool exposes an endpoint vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run malicious executables. Similarly, on Windows machines, miscreants can abuse the security hole to execute arbitrary shell commands with fully controlled arguments.
JFrog researchers discovered the vulnerability and disclosed it in early November after Meta issued a fix. The research team assigned it a critical, 9.8 CVSS severity rating, meaning it's almost as bad as bugs get.
Bug hunters wasted no time publishing proof-of-concept exploits on GitHub, with one such POC being published the same day as the public bug disclosure.
"VulnCheck observed exploitation attempts as early as December, well before public discussion framed CVE-2025-11953 as anything more than a theoretical risk," VulnCheck CTO Jacob Baines told The Register. "This demonstrates how quickly attackers can act once scanning becomes viable, and why developer tooling - widespread, inconsistently monitored, and often not treated as production-grade - represents a particularly attractive early target."
- Meta will move React to Linux Foundation to address vendor dominance fears
- Notepad++ update service hijacked in targeted state-linked attack
- OpenClaw patches one-click RCE as security Whac-A-Mole continues
- CISA updated ransomware intel on 59 bugs last year without telling defenders
In a Tuesday blog, Baines said the bug isn't receiving the attention it deserves.
"Now, more than a month after initial exploitation in the wild, that activity has yet to see broad public acknowledgment, and EPSS [the Exploit Prediction Scoring System] continues to assign a low exploitation probability of 0.00405. This gap between observed exploitation and wider recognition matters, particularly for vulnerabilities that are easy to exploit and, as internet-wide search data shows, exposed on the public internet," he wrote.
Baines said the first wave of exploitation began in December, with more attacks delivering the same payloads observed on January 4 and January 21.
These attacks used a multi-stage PowerShell-based loader delivered through cmd.exe, and the code disabled Microsoft Defender protections before retrieving and running the payload: a Rust-based binary with anti-analysis features, including runtime checks to help avoid detection via static inspection.
"The deliberate disabling of Microsoft Defender protections before payload retrieval indicates the attacker anticipated the presence of endpoint security controls and incorporated evasion measures into the initial execution flow," Baines wrote in a Tuesday blog.
The attacks originated from the following IP addresses: 65.109.182.231, 223.6.249.141, and 134.209.69.155, with the "windows" payload hosted at 8.218.43.248:60124, and 47.86.33.195:60130 hosting both a "windows" and "linux" binary. ®