SECURITYWEEK reports that threat actors have been exploiting a critical React Native vulnerability, CVE-2025-11953 (CVSS 9.8), in attacks since late December, with initial exploitation observed on December 21 and continued activity on January 4 and 21. The flaw affects the React Native Community CLI NPM package (@react-native-community/cli), part of Metro’s development server, which can bind to external interfaces and expose deployments to unauthenticated, remote OS command execution via simple POST requests.
VulnCheck notes that thousands of internet‑accessible React Native instances could be at risk, and a multi‑stage PowerShell‑based loader was observed delivering payloads designed to disable Microsoft Defender protections, establish a raw TCP connection to attackers’ hosts, and fetch and execute the downloaded payload. The final payload, written in Rust, targets both Windows and Linux systems and uses basic anti‑analysis logic.
According to VulnCheck, this incident highlights that development infrastructure can effectively become production infrastructure the moment it is reachable.