Vulnerability Management, Patch/Configuration Management, Threat Intelligence

Attacks involving critical React Native bug target Windows, Linux systems

Plain code with the word "cyberattack" in red.

Intrusions leveraging the critical React Native Community CLI NPM package vulnerability, tracked as CVE-2025-11953, have been launched to compromise Windows and Linux systems with malware since late December, reports SecurityWeek.

After initially targeting the flaw, which has been dubbed Metro4Shell, on Dec. 21, threat actors proceeded to exploit the issue again on Jan. 4 and Jan. 21 to facilitate the delivery of a multi-stage PowerShell-based loader, according to VulnCheck. Such a loader deactivates Microsoft Defender and ensures a raw TCP connection to the attacker-controlled host before retrieving and executing an illicit Rust-based payload with anti-analysis capabilities, with the integration of evasion tactics to the primary execution flow indicating attackers' expectation of endpoint security measures.

"CVE-2025-11953 is not remarkable because it exists. It is remarkable because it reinforces a pattern defenders continue to relearn. Development infrastructure becomes production infrastructure the moment it is reachable, regardless of intent," VulnCheck added.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds