A critical vulnerability in the React Native CLI Metro server is being actively exploited to execute remote commands and deploy stealthy Rust-based malware. Although the flaw allows unauthenticated attackers to run arbitrary code on exposed systems, it has remained under the radar with a low public risk score despite weeks of observed real-world attacks.

The React Native Community CLI opens a Metro development server that unfortunately binds to external interfaces by default. This configuration exposes an endpoint vulnerable to OS command injection, allowing anyone on the network to send a POST request and execute unauthorized programs. On Windows systems, the risk is even greater as attackers can execute full shell commands with complete control over the arguments. Because Metro serves as the primary JavaScript bundler for React Native development, this flaw creates a direct path for attackers to compromise developer environments.

Security researchers at VulnCheck first identified these attacks in late December 2025 and continued to see them throughout January. Despite this sustained malicious activity, the vulnerability has not received widespread attention from the broader security community. The current exploit prediction scoring remains misleadingly low, which is a significant concern because the flaw is relatively easy to exploit and many vulnerable servers are still visible and accessible across the public internet.

The observed attacks show a sophisticated, operational approach rather than simple automated testing. Threat actors are using a multi-stage process that begins with a PowerShell loader delivered via the command line. This loader is designed to disable Microsoft Defender protections to ensure the subsequent stages of the attack remain undetected. Once the system is weakened, the attackers fetch additional payloads over raw TCP connections to finalize the infection.

The final stage of the attack involves the execution of a specialized Rust-based binary. To evade detection and make recovery more difficult, this malware is packed using UPX and includes various anti-analysis features. This choice of programming language and obfuscation highlights a deliberate effort by the hackers to maintain a persistent and stealthy presence on the compromised developer machines.

Because the attackers have been using the same infrastructure and techniques for several weeks without much resistance, defenders are at a significant disadvantage. The gap between the start of real-world exploitation and official public recognition often leaves organizations unprepared to patch or mitigate the threat. It is vital for developers using React Native to secure their Metro server configurations immediately to prevent becoming the next target of this ongoing campaign.

Source: Hackers Exploited React Native CLI Flaw To Deploy Rust Malware Before Disclosure